Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| >= 1.3.3 | ✅ |
| < 1.3.3 | ❌ |
CVE: To be assigned
Severity: Moderate
Fixed in: v1.3.3 (2025)
Description: Previous versions contained command injection vulnerabilities in several MCP tools (ui_tap, ui_type, ui_swipe, ui_describe_point, ui_describe_all, screenshot, record_video, stop_recording) due to unsafe shell command construction using string interpolation.
Impact: Malicious input could potentially execute arbitrary commands on the host system.
Fix: Replaced unsafe execAsync string interpolation with secure execFile calls using argument arrays. Added input validation.
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab.
You can expect an initial response to your report within 48 hours. We will keep you informed about the progress of addressing the vulnerability and will work with you to coordinate the disclosure timeline.
If the vulnerability is accepted:
- We will work on a fix and keep you updated on the progress
- Once a fix is ready, we will coordinate with you on the disclosure timeline
- You will be credited for the discovery (unless you prefer to remain anonymous)
If the vulnerability is declined:
- We will provide a detailed explanation of why it was not accepted
- If appropriate, we will suggest alternative approaches or mitigations