Skip to content

Don’t use shell=True in mcp dev subprocess on Windows (command injection risk) #1257

New issue
New issue
Open
#2190
Open
Don’t use shell=True in mcp dev subprocess on Windows (command injection risk)#1257
#2190
Labels
P1Significant bug affecting many users, highly requested featurebugSomething isn't workingready for workEnough information for someone to start working on
@0x-Professor

Description

@0x-Professor
0x-Professor
opened on Aug 10, 2025

Initial Checks

Description

What’s happening:

When you run the mcp dev command on Windows, it starts another program using a method (subprocess.run with shell=True) that lets the Windows command prompt (cmd.exe) handle the command. This is risky because if any part of the command includes special characters (like &, |, %, etc.), Windows might run something you didn’t expect — even another program, if the file path or arguments are weirdly named or crafted.

Why this is a real problem:

  • This isn’t just a theory — it’s a well-known risk with shell=True in Python. If anyone (or any script) can control part of the file path or arguments, they might be able to run extra commands on your computer.
  • The Python documentation says to avoid shell=True when possible for exactly this reason.
  • The fix is easy: use shell=False and make sure the right Windows executable is picked (like npx.cmd).
  • This keeps things safe and works the same on all systems.

What should happen instead:

  • The command should be run without shell=True on Windows, just like it is on Linux/Mac.
  • File paths and arguments should always be passed as a list, not a single string.

How this could be abused:

  • If someone manages to sneak a file or argument with a shell special character into your project, running mcp dev could run extra commands (for example, opening Calculator if the file had &calc in its name).

Please fix:

  • Remove shell=True from the subprocess.run call in src/mcp/cli/cli.py (Windows part).
  • Make sure the command and its arguments are always passed as a list.
  • Make sure it works on Windows by using the right executable (like npx.cmd).

Thanks!

Example Code

# Example of risky situation on Windows:
# If a file is named "server&calc.py" and you run:
#   mcp dev path\to\server&calc.py
# Windows might run Calculator because of the &

# Please see src/mcp/cli/cli.py (mcp dev command) for the subprocess.run([npx_cmd, ...], shell=True, ...)

Python & MCP Python SDK

Python 3.11, Windows 11, latest MCP Python SDK (main branch, August 2025)

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1Significant bug affecting many users, highly requested featurebugSomething isn't workingready for workEnough information for someone to start working on

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions