Initial Checks
Description
What’s happening:
When you run the mcp dev command on Windows, it starts another program using a method (subprocess.run with shell=True) that lets the Windows command prompt (cmd.exe) handle the command. This is risky because if any part of the command includes special characters (like &, |, %, etc.), Windows might run something you didn’t expect — even another program, if the file path or arguments are weirdly named or crafted.
Why this is a real problem:
- This isn’t just a theory — it’s a well-known risk with
shell=True in Python. If anyone (or any script) can control part of the file path or arguments, they might be able to run extra commands on your computer.
- The Python documentation says to avoid
shell=True when possible for exactly this reason.
- The fix is easy: use
shell=False and make sure the right Windows executable is picked (like npx.cmd).
- This keeps things safe and works the same on all systems.
What should happen instead:
- The command should be run without
shell=True on Windows, just like it is on Linux/Mac.
- File paths and arguments should always be passed as a list, not a single string.
How this could be abused:
- If someone manages to sneak a file or argument with a shell special character into your project, running
mcp dev could run extra commands (for example, opening Calculator if the file had &calc in its name).
Please fix:
- Remove
shell=True from the subprocess.run call in src/mcp/cli/cli.py (Windows part).
- Make sure the command and its arguments are always passed as a list.
- Make sure it works on Windows by using the right executable (like
npx.cmd).
Thanks!
Example Code
# Example of risky situation on Windows:
# If a file is named "server&calc.py" and you run:
# mcp dev path\to\server&calc.py
# Windows might run Calculator because of the &
# Please see src/mcp/cli/cli.py (mcp dev command) for the subprocess.run([npx_cmd, ...], shell=True, ...)
Python & MCP Python SDK
Python 3.11, Windows 11, latest MCP Python SDK (main branch, August 2025)
Initial Checks
Description
What’s happening:
When you run the
mcp devcommand on Windows, it starts another program using a method (subprocess.runwithshell=True) that lets the Windows command prompt (cmd.exe) handle the command. This is risky because if any part of the command includes special characters (like &, |, %, etc.), Windows might run something you didn’t expect — even another program, if the file path or arguments are weirdly named or crafted.Why this is a real problem:
shell=Truein Python. If anyone (or any script) can control part of the file path or arguments, they might be able to run extra commands on your computer.shell=Truewhen possible for exactly this reason.shell=Falseand make sure the right Windows executable is picked (likenpx.cmd).What should happen instead:
shell=Trueon Windows, just like it is on Linux/Mac.How this could be abused:
mcp devcould run extra commands (for example, opening Calculator if the file had&calcin its name).Please fix:
shell=Truefrom thesubprocess.runcall insrc/mcp/cli/cli.py(Windows part).npx.cmd).Thanks!
Example Code
Python & MCP Python SDK