Blocklist bypass enables host RCE in terminal-controller MCP
TL;DR — terminal-controller-mcp’s substring-based “dangerous command” blocklist is trivially bypassed, so attacker-influenced model output can translate into full host command execution.
What happened
terminal-controller-mcp is an open-source Python MCP (Model Context Protocol) server intended to let AI models (e.g., Claude, GPT-4) execute shell commands on a host. An oss-security disclosure reports that the project’s only safety control is a simple keyword blocklist applied to the input string before passing it to asyncio.create_subprocess_shell() with executable="/bin/bash".
Because the filter checks for literal substrings (e.g., "rm -rf /", "mkfs") in the raw input, basic shell features can reconstruct blocked commands at execution time (e.g., command substitution, variable reassembly, eval). The author characterizes this as enabling arbitrary OS command execution when an attacker can influence the MCP server input, including via prompt-injection scenarios.
The report assigns a CVSS 3.1 base score of 10.0 (Critical) and highlights a broader AppSec pattern: blocklists are not a security boundary for shell execution, and MCP-style “tools that run commands” materially expand the prompt-injection-to-RCE blast radius in AI-agent deployments.
Who is impacted
- Deployments using
terminal-controller-mcp/terminal-controllerwhere the MCP server can receive attacker-influenced instructions (including indirect influence via prompt injection). - Any environment relying on the project’s built-in blocklist as a meaningful control for dangerous command execution.
| Component | Affected versions (per disclosure) | Fixed versions (per disclosure) |
|---|---|---|
terminal-controller / terminal-controller-mcp | All versions <= 0.1.9 | None (repository archived; no patch expected) |
What to do now
- Follow the disclosure’s guidance and treat this component as unsafe-by-design in production environments:
Do not use terminal-controller-mcp. There is no patch and no plan for one.
- Inventory whether you run
terminal-controller/terminal-controller-mcpanywhere (developer laptops, internal agent hosts, CI workers, shared jump boxes) and identify what identities/secrets the host can access. - If you must support shell execution via MCP-like tooling, align controls with the disclosure’s recommended direction:
- run in a sandboxed environment (e.g., container with restricted filesystem namespace and limited syscalls)
- implement allowlist-based (not blocklist-based) command validation
- If compromise is suspected, treat the host as potentially fully compromised: rotate credentials reachable from the agent host and review egress / process execution telemetry for unexpected activity.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.