@wonderwhy-er/desktop-commander 0.2.18-alpha.8 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @wonderwhy-er/desktop-commander package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Command Injection @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to Command Injection via the `CommandManager` class. An attacker can execute arbitrary operating system commands by embedding them command supplied remotely. How to fix Command Injection? There is no fixed version for `@wonderwhy-er/desktop-commander`.	*
M Command Injection @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to Command Injection via the `extractBaseCommand` function. An attacker can execute arbitrary operating system commands by supplying crafted input that is processed by this function. How to fix Command Injection? There is no fixed version for `@wonderwhy-er/desktop-commander`.	*
L UNIX Symbolic Link (Symlink) Following @wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the `isPathAllowed` function. An attacker can create a symlink inside an allowed directory that points to a restricted location. How to fix UNIX Symbolic Link (Symlink) Following? There is no fixed version for `@wonderwhy-er/desktop-commander`.	*

Vulnerability

Vulnerable Version

Command Injection

@wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing

Affected versions of this package are vulnerable to Command Injection via the CommandManager class. An attacker can execute arbitrary operating system commands by embedding them command supplied remotely.

How to fix Command Injection?

There is no fixed version for @wonderwhy-er/desktop-commander.

Command Injection

@wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing

Affected versions of this package are vulnerable to Command Injection via the extractBaseCommand function. An attacker can execute arbitrary operating system commands by supplying crafted input that is processed by this function.

How to fix Command Injection?

There is no fixed version for @wonderwhy-er/desktop-commander.

UNIX Symbolic Link (Symlink) Following

@wonderwhy-er/desktop-commander is a MCP server for terminal operations and file editing

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the isPathAllowed function. An attacker can create a symlink inside an allowed directory that points to a restricted location.

How to fix UNIX Symbolic Link (Symlink) Following?

There is no fixed version for @wonderwhy-er/desktop-commander.

@wonderwhy-er/desktop-commander@0.2.18-alpha.8 vulnerabilities

MCP server for terminal operations and file editing

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically