elgentos magento2-dev-mcp 漏洞 CVE-2026-5603：命令注入 (5.3 MEDIUM)

在elgentos的magento2-dev-mcp扩展程序中发现了一个漏洞，影响到1.0.2及更早的版本。该漏洞位于文件src/index.ts中的executeMagerun2Command函数，是一种操作系统命令注入（OS）漏洞。本地攻击者可以利用此漏洞在服务器上执行任意命令，从而可能损害数据的完整性和保密性。公开的漏洞利用程序的存在会大大增加风险，因为它使恶意行为者更容易利用该漏洞。根据CVSS，该漏洞的严重程度评分为5.3。为了减轻这种风险，必须应用提供的补丁。

Development teams using elgentos magento2-dev-mcp in their Magento 2 projects are at significant risk. Environments with developers having direct shell access to the server are particularly vulnerable. Shared hosting environments where multiple users share the same server instance also face increased risk, as a compromised user account could potentially exploit this vulnerability.

• nodejs: Monitor process execution for suspicious commands invoked by the @elgentos/magento2-dev-mcp package.

ps aux | grep '@elgentos/magento2-dev-mcp' | grep -i 'command injection'

• linux / server: Examine system logs for evidence of command execution attempts originating from the application.

journalctl -u magento2-dev-mcp -g 'command injection'

• generic web: Inspect access logs for unusual requests targeting the src/index.ts file, particularly those containing shell metacharacters.

grep -i 'command injection' /var/log/apache2/access.log

1. 2026-04-06Disclosure

   disclosure

2. 2026-04-06PoC

   poc

3. 2026-04-06Patch

   patch

1. 已保留2026-04-05
2. 发布日期2026-04-06
3. EPSS 更新日期2026-04-13

解决此漏洞的推荐方法是应用哈希值为aa1ffcc0aea1b212c69787391783af27df15ae9d的补丁。此补丁修复了executeMagerun2Command函数中的操作系统命令注入漏洞。强烈建议尽快将magento2-dev-mcp扩展程序更新到修复后的版本。此外，请检查Magento服务器的安全配置，以确保实施了最佳实践并最小化攻击面。监控服务器日志是否存在可疑活动也是一项重要的预防措施。