GHSA-p4h8-56qp-hpgv: SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh
Summary
An SSH/SCP option injection vulnerability in the @aiondadotcom/mcp-ssh library allowed attackers to execute arbitrary commands locally on the machine running the MCP server (a tool that connects an AI to external systems). By crafting malicious input like `-oProxyCommand=...`, attackers could trick SSH into running their code before any network connection happened, potentially stealing SSH keys and credentials. The vulnerability could be triggered even without a malicious user, since an LLM (large language model) could be tricked through prompt injection (hiding attacker instructions in text it reads) to pass the malicious input to the tool.
Solution / Mitigation
Fixed in version 1.3.5. The patch includes: adding `--` argument terminators to all SSH/SCP invocations (which tells the command where options end and arguments begin), implementing a strict whitelist for host aliases that rejects leading dashes and shell metacharacters, requiring all host aliases to be defined in `~/.ssh/config` or `~/.ssh/known_hosts`, and resolving `ssh.exe`/`scp.exe` to absolute paths with `shell: false` on Windows to prevent command re-parsing. No workarounds exist; users must upgrade to 1.3.5.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-p4h8-56qp-hpgv
First tracked: April 14, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%