A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/…

A command injection vulnerability was discovered in 54yyyu code-mcp up to commit 4cfc4643541a110c906d93635b391bf7e357f4a8. The vulnerability affects the git_operation function in src/code_mcp/server.py of the MCP Tool component. Attackers can manipulate the operation argument to achieve command injection remotely. The exploit has been publicly disclosed and is available for use. The project uses continuous delivery with rolling releases, making version tracking difficult. Despite early notification through an issue report, the project maintainers have not yet responded to address the vulnerability.