Description
A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.2.39 will fix this issue. The patch is named 4ce845f8749b6a159b57b38dcc3357f7222a8078. It is suggested to upgrade the affected component.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the start_search component of DesktopCommanderMCP’s search-manager.ts module. An attacker can supply a crafted SearchResult[] argument that triggers a regular expression with inefficient complexity, leading to excessive CPU and memory use. The effect is a denial of service that can bring the application or its services down by exhausting resources. The weakness is identified as a regular expression denial of service (CWE-1333) and a lack of resource limits (CWE-400).

Affected Systems

It affects wonderwhy-er DesktopCommanderMCP versions up to and including 0.2.38. The fix is available in v0.2.39, which includes the patch commit 4ce845f8749b6a159b57b38dcc3357f7222a8078.

Risk and Exploitability

The system has a CVSS score of 5.3, indicating moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the exploit is public and can be triggered remotely by influencing the SearchResult[] input, the risk is real. An attacker can target the application over the network, potentially disrupting service for all users. The risk is mitigated only by applying the stated upgrade or by limiting access to the vulnerable function until the patch is applied.

Generated by OpenCVE AI on June 3, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DesktopCommanderMCP to version 0.2.39 or later to apply the official patch.
  • Restrict external access to the start_search function or enforce strong authentication so that only trusted users can invoke the vulnerable code path.
  • Continuously monitor application performance metrics and logs for abnormal CPU or memory spikes that could indicate an attempted ReDoS attack.

Generated by OpenCVE AI on June 3, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.2.39 will fix this issue. The patch is named 4ce845f8749b6a159b57b38dcc3357f7222a8078. It is suggested to upgrade the affected component.
Title wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos
First Time appeared Wonderwhy-er
Wonderwhy-er desktopcommandermcp
Weaknesses CWE-1333
CWE-400
CPEs cpe:2.3:a:wonderwhy-er:desktopcommandermcp:*:*:*:*:*:*:*:*
Vendors & Products Wonderwhy-er
Wonderwhy-er desktopcommandermcp
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wonderwhy-er Desktopcommandermcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T13:47:07.613Z

Reserved: 2026-06-02T15:40:41.889Z

Link: CVE-2026-10691

cve-icon Vulnrichment

Updated: 2026-06-03T13:46:59.252Z

cve-icon NVD

Status : Received

Published: 2026-06-03T00:16:30.940

Modified: 2026-06-03T00:16:30.940

Link: CVE-2026-10691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T03:45:23Z

Weaknesses