{"data":{"id":"54b11719-913c-4dc6-933a-296e22926c33","title":"GHSA-p4h8-56qp-hpgv: SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh","summary":"An SSH/SCP option injection vulnerability in the @aiondadotcom/mcp-ssh library allowed attackers to execute arbitrary commands locally on the machine running the MCP server (a tool that connects an AI to external systems). By crafting malicious input like `-oProxyCommand=...`, attackers could trick SSH into running their code before any network connection happened, potentially stealing SSH keys and credentials. The vulnerability could be triggered even without a malicious user, since an LLM (large language model) could be tricked through prompt injection (hiding attacker instructions in text it reads) to pass the malicious input to the tool.","solution":"Fixed in version 1.3.5. The patch includes: adding `--` argument terminators to all SSH/SCP invocations (which tells the command where options end and arguments begin), implementing a strict whitelist for host aliases that rejects leading dashes and shell metacharacters, requiring all host aliases to be defined in `~/.ssh/config` or `~/.ssh/known_hosts`, and resolving `ssh.exe`/`scp.exe` to absolute paths with `shell: false` on Windows to prevent command re-parsing. No workarounds exist; users must upgrade to 1.3.5.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-p4h8-56qp-hpgv","publishedAt":"2026-04-14T00:04:10.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["prompt_injection","supply_chain"],"issueType":"vulnerability","affectedPackages":["@aiondadotcom/mcp-ssh@< 1.3.5 (fixed: 1.3.5)"],"affectedVendors":[],"affectedVendorsRaw":["@aiondadotcom/mcp-ssh","MCP"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-14T00:04:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}