Platform
nodejs
Component
@nor2/heim-mcp
Fixed in
0.1.1
0.1.2
0.1.3
0.1.4
0.1.4
CVE-2026-5602 is a Command Injection vulnerability discovered in the heim-mcp component of Nor2-io's newheimapplication. Successful exploitation allows an attacker with local access to execute arbitrary operating system commands, potentially leading to system compromise. This vulnerability affects versions 0.1.0 through 0.1.3 of heim-mcp. A patch (0.1.4) is available to resolve this issue.
A command injection vulnerability has been identified in Nor2-io's heim-mcp library, affecting versions up to 0.1.3. The vulnerability resides within the registerTools function of the src/tools.ts file, specifically within the newheimapplication/deployheimapplication/deployheimapplicationtocloud component. A local attacker can exploit this flaw to execute arbitrary operating system commands, potentially compromising the integrity and confidentiality of data. The vulnerability is rated as CVSS 5.3, indicating a moderate risk. Public disclosure of the vulnerability increases the likelihood of exploitation.
Exploitation of this vulnerability requires local access to the affected system. This means an attacker must have the ability to execute code on the system before they can leverage the flaw in registerTools. The public disclosure of the vulnerability means that attackers may have access to information on how to exploit it, increasing the risk of targeted attacks. It is recommended to monitor affected systems for signs of suspicious activity.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
To mitigate this vulnerability, it is strongly recommended to upgrade to version 0.1.4 or later of heim-mcp. This version includes a patch, identified by the hash c321d8af25f77668781e6ccb43a1336f9185df37, that addresses the command injection issue. Applying the patch is the most effective way to protect against this threat. The vendor has been contacted and is expected to provide further information and technical support as needed. Verify the integrity of the downloaded patch before installation.
Update to version 0.1.4 or higher to mitigate the operating system command injection vulnerability. The update corrects the registerTools function in the file src/tools.ts, eliminating the possibility of arbitrary command execution.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability that allows an attacker to execute arbitrary commands on the underlying operating system through a vulnerable application.
It means the attacker must have the ability to execute code directly on the affected system.
The updated version (0.1.4 or later) should be available from the official Nor2-io repository.
If immediate updating is not possible, implement additional security measures, such as restricting local access to the system and monitoring for suspicious activity.
You can contact the vendor, Nor2-io, for additional technical support.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.