CVE-2025-5277 CRITICAL

CVE-2025-5277

Vendor Alexei-Led

Product aws-mcp-server

Weakness CWE-78

Published May 28, 2025

Last update May 28, 2025

View on NVD All CVEs

CVSS base score

9.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

aws-mcp-server MCP server is vulnerable to command injection. An attacker can craft a prompt that once accessed by the MCP client will run arbitrary commands on the host system.

Key dates

02Disclosure timeline

May 28, 2025 CVE published

May 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-5277

Related vulnerabilities

CVE-2025-5277

01Description

02Disclosure timeline

03References

04Related CVE