The vulnerability arises because the Roslyn CodeLens MCP Server loads and executes all DiagnosticAnalyzer assemblies referenced by a target solution without any allowlist, signature check or user confirmation. This allows an attacker who can insert a malicious project file that references a DLL hosted at a location the victim opens with the MCP server to trigger execution of arbitrary code within the server process, elevating to the privileges with which the server runs. The weakness is a form of code injection or dynamic code execution (CWE‑94) and enables full compromise of the server host.

The affected product is MarcelRoozekrans:roslyn‑codelens‑mcp. Versions from 0.0.9 up to but excluding 1.17.0 are vulnerable; the vulnerability has been fixed in 1.17.0 and later releases.

The CVSS score of 7.8 indicates a high impact severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, though the exploit path is relatively straightforward: an attacker controls a project file and places a malicious DLL in a location the victim will open. Once the MCP server processes that file, the attacker achieves arbitrary code execution with server OS privileges. This poses a critical risk to any environment where the MCP server is used to analyze codebases, especially if exposed to untrusted projects.