CVE-2025-9262
high
CVSS v3
8.1
CVSS v2
5.1
VIR risk
8.1
Description
wong2 mcp-cli Command Injection Vulnerability
Predictions
Exploit likelihood
88%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | @wong2/mcp-cli | <=1.13.0 | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| wong2 | mcp-cli | 1.13.0 | |
References
- https://gist.github.com/superboy-zjc/a01bd059c4078249d899f8c70c8feb0e
- https://gist.github.com/superboy-zjc/a01bd059c4078249d899f8c70c8feb0e#proof-of-concept
- https://vuldb.com/?ctiid.320804
- https://vuldb.com/?id.320804
- https://vuldb.com/?submit.631697
- https://nvd.nist.gov/vuln/detail/CVE-2025-9262
- https://github.com/wong2/mcp-cli/pull/16
- https://github.com/wong2/mcp-cli/commit/35629664cc5d3aea4c3d083d075fe26e7c346b59
- https://github.com/wong2/mcp-cli
CWEs
CWE-77 CWE-78
Verify integrity in audit chain (admin only). AS-IS.