Newline injection in ssh-mcp breaks out of su shell
TL;DR - ssh-mcp <= 1.5.0: the description argument is appended unsanitised into shell.write(). Newlines are not escaped. With a persistent root shell active via --suPassword, a single crafted description value injects extra commands into that shell.
What happened
ssh-mcp (tufantunc/ssh-mcp) is a local Model Context Protocol server that exposes SSH command execution to MCP clients - typically LLM-based agents - through tools like exec and sudo-exec.
CVE-2026-7039 covers a command injection flaw in all versions up to and including 1.5.0. The sink is shell.write() in src/index.ts. When a command is written into an interactive shell session, the description argument is appended as a comment. Only the # character is escaped. Newline characters are not. An attacker who can control description can embed \n sequences, turning what looks like a comment into additional shell lines.
The blast radius depends on mode. In normal use the impact is limited. Enable --suPassword - the project-documented mode for persistent root access - and those injected lines run in a root shell.
| Item | Detail |
|---|---|
| Affected project | tufantunc/ssh-mcp |
| Affected versions | <= 1.5.0 |
| Vulnerable sink | shell.write() in src/index.ts |
| Injection vector | description argument |
| CVSS v3.1 (CNA) | 7.8 (High) |
| CVSS v4.0 (CNA) | 8.5 (High) |
The subtlety worth flagging to platform teams adopting MCP-style agent tooling: description reads like an innocuous logging hint. In su mode it becomes a second command channel - one that may receive far less scrutiny than command itself.
Who is impacted
- Teams running
ssh-mcpat versions<= 1.5.0. - Highest risk: deployments with
--suPasswordenabled, where injected lines run with root privileges inside a persistent shell. - Any environment where an untrusted or steerable MCP client can supply tool arguments - particularly
description- and the server has access to high-value SSH credentials or privileged targets.
What to do now
- Check for a patched release. NVD does not list a confirmed fixed version at the time of writing. Monitor the upstream repository for a patch and apply it as soon as one is available.
- Until a fix is confirmed and deployed:
- Disable persistent root shell mode. Avoid
--suPasswordunless it is strictly required for your use case. - Treat
descriptionas untrusted input. Do not allow it to be sourced from user-controlled or model-controlled text without sanitisation. - Keep the MCP server local-only where feasible. Restrict which clients can invoke
execandsudo-exec.
- Disable persistent root shell mode. Avoid
- For detection and scoping:
- Inventory all hosts running
ssh-mcpand identify which are configured with--suPassword. - Review MCP client logs and SSH target audit logs for privileged commands that do not match expected tool call patterns.
- Inventory all hosts running
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.