SCA: security update for @translated/lara-mcp (GHSA-xj5p-8h7g-76m7)

high Tenable Self-Hosted Container Security Plugin ID 428461

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Lara Translate MCP Server is a Model Context Protocol (MCP) Server for Lara Translate API. Versions 0.0.11
and below contain a command injection vulnerability which exists in the @translated/lara-mcp MCP Server.
The vulnerability is caused by the unsanitized use of input parameters within a call to
child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can
lead to remote code execution under the server process's privileges. The server constructs and executes
shell commands using unvalidated user input directly within command-line strings. This introduces the
possibility of shell metacharacter injection (|, >, &&, etc.). This vulnerability is fixed in version
0.0.12. (CVE-2025-53832)

See Also

https://github.com/advisories/GHSA-xj5p-8h7g-76m7

Plugin Details

Severity: High

ID: 428461

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 7/21/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53832

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2025

Vulnerability Publication Date: 7/21/2025

Reference Information

CVE: CVE-2025-53832

cwe: CWE-77