CVE-2025-59834

CRITICAL

Srmorete Adb Mcp Server < 0.1.0 - Command Injection

Title source: rule

Description

ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/srmorete/adb-mcp/security/advisories/GHSA-54j7-grvr-9xwg

Patch x_refsource_misc

https://github.com/srmorete/adb-mcp/commit/041729c0b25432df3199ff71b3163a307cf4c28c

View Patch ZIP pw:eip

Product x_refsource_misc

https://github.com/srmorete/adb-mcp/blob/master/src/index.ts#L334-L355

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0160

EPSS Percentile 81.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78 CWE-77

Status published

Products (2)

npm/adb-mcp 0npm

srmorete/adb_mcp_server < 0.1.0

Published Sep 25, 2025

Tracked Since Feb 18, 2026