CVE-2025-59834

CRITICAL

srmorete adb_mcp_server < 0.1.0 - OS Command Injection in MCP Server Tool Implementation

Title source: llm
STIX 2.1

Description

ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.

Scores

CVSS v3 9.8
EPSS 0.0227
EPSS Percentile 80.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-77 CWE-78
Status published
Products (2)
npm/adb-mcp 0npm
srmorete/adb_mcp_server < 0.1.0
Published Sep 25, 2025
Tracked Since Feb 18, 2026