CVE-2026-47708 - stata-mcp log_file_name command injection

stata-mcp before 1.17.3 embedded the user-supplied log_file_name parameter directly into a Stata command string. The advisory says the guard layer inspected do-file content but did not validate this wrapper parameter, so an attacker could inject arbitrary Stata commands such as shell, python, or destructive file operations by breaking out of the quoted log path. The same parameter also allowed path traversal outside the intended log directory.

This is an agent-wrapper problem, not just a Stata-script problem. A safe fix upgrades the package, validates wrapper parameters before command construction, verifies resolved paths stay inside the log directory, and avoids trusting user-chosen file names where an internal generated identifier would work.

When to use it

Use this recipe when a repository, MCP server catalog, desktop agent profile, or analytics workbench installs or wraps stata-mcp. It is built for source code remediation, MCP tool argument hardening, command-injection review, and audit evidence that user-controlled log names cannot escape the intended log directory or reach Stata command execution.

Inputs

  • stata-mcp package version, lockfile, MCP config, wrapper command, log directory configuration, and all places that set log_file_name.
  • Source paths that build Stata command strings, validate do-file content, normalize paths, or create logs.
  • Safe fixtures for quoted names, path traversal, shell-like payload strings, and expected reject/accept decisions.
  • Evidence of runtime reach: project files, data exports, credentials, temporary directories, and any shell/Python capabilities exposed through Stata.

Affected versions

  • Vulnerable package: stata-mcp <1.17.3
  • Fixed package: stata-mcp 1.17.3+
  • Affected API/CLI surface: stata_do tool and CLI stata-mcp tool do
  • Affected parameter: log_file_name
  • Related weakness: path traversal via generated log path

Indicator-of-exposure

  • The repository depends on, vendors, forks, or deploys stata-mcp <1.17.3.
  • An MCP server, CLI wrapper, notebook, service, or automation accepts untrusted or tenant-controlled log_file_name input.
  • The same service executes Stata with filesystem, shell, Python integration, or network authority that matters if command injection occurs.
  • Product code builds command strings for Stata or another interpreter from user-controlled filenames, do-file paths, or wrapper parameters.
  • The environment stores API keys, tenant data, research datasets, or local files accessible to the Stata process.

Quick checks:

rg -n "stata-mcp|stata_do|log_file_name|generate_log_file|generate_log_command|_execute_unix_like|_execute_windows|GuardValidator|dofile_path" .
pip show stata-mcp
python -m pip show stata-mcp
uv pip show stata-mcp
rg -n "shell|python|log using|stata_do|tool do|log_file_name" scripts .github Dockerfile* compose*.yml . 2>/dev/null

Windows:

rg -n "stata-mcp|stata_do|log_file_name|generate_log_file|generate_log_command|_execute_unix_like|_execute_windows|GuardValidator|dofile_path" .
pip show stata-mcp
python -m pip show stata-mcp
uv pip show stata-mcp
rg -n "shell|python|log using|stata_do|tool do|log_file_name" scripts .github Dockerfile* compose*.yml .

Do not send crafted log_file_name payloads to a live Stata runtime, execute shell commands through Stata during triage, or inspect sensitive log output.

Remediation strategy

  • Upgrade every controlled stata-mcp dependency, lockfile, container image, dev environment, and SBOM to 1.17.3+.
  • Apply strict allow-list validation to log_file_name: only safe characters, bounded length, and no quotes, separators, path traversal, whitespace control characters, or Stata command delimiters.
  • Resolve the generated log path and verify it remains inside the intended log directory before constructing any command string.
  • Prefer generated internal log filenames (UUIDs or server-created names) over caller-controlled names when possible.
  • Review related command-string surfaces such as dofile_path or any wrapper parameter later interpolated into Stata commands.
  • Rotate credentials or review artifacts if the Stata runtime had access to sensitive datasets, local files, or shell-capable integrations during the exposure window.

The prompt

You are remediating CVE-2026-47708 / GHSA-4p62-hqp5-g644, a critical
`stata-mcp` command-injection and path-traversal issue caused by unsafe
`log_file_name` handling. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades `stata-mcp`, validates
  log-file parameters and paths, hardens adjacent wrapper inputs, refreshes
  generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected `stata-mcp`
  runtime, dependency, wrapper, image, or deployment.

## Rules

- Scope only CVE-2026-47708 / GHSA-4p62-hqp5-g644 and directly related
  `stata-mcp` wrapper hardening.
- Treat datasets, local files, API keys, notebooks, tenant data, generated
  logs, shell execution capability, and Stata/Python integration points as
  sensitive.
- Do not execute exploit payloads, `shell` commands, `python` commands, or
  path-traversal probes through Stata during validation.
- Do not print sensitive dataset content, logs, local file contents, or
  credentials in diagnostics or commits.
- Do not rely on do-file scanning alone as the fix; wrapper parameters must be
  validated before command construction.
- Do not auto-merge.

## Steps

1. Inventory every repository-controlled `stata-mcp` reference: dependency
   manifests, lockfiles, Dockerfiles, Compose files, notebooks, MCP configs,
   wrappers, scripts, CI jobs, SBOMs, generated dependency reports, and docs.
2. Determine every resolved `stata-mcp` version. A target is vulnerable if it
   resolves below `1.17.3`.
3. Search for all wrapper inputs that flow into Stata command strings:
   `log_file_name`, `dofile_path`, `generate_log_command`,
   `generate_log_file`, `_execute_unix_like`, `_execute_windows`,
   `GuardValidator`, and any custom wrapper layers.
4. If the repository does not control an affected runtime or wrapper, stop with
   `TRIAGE.md` listing checked files, runtime owner if known, and required
   fixed version `1.17.3+`.
5. Upgrade all controlled `stata-mcp` references to `1.17.3+`. Refresh
   lockfiles, environment specs, container images, SBOMs, dependency reports,
   and docs that pin the vulnerable version.
6. Add fail-closed input validation:
   - allow only approved characters for `log_file_name`;
   - reject quotes, semicolons, newlines, carriage returns, tabs, path
     separators, dot-dot traversal, wildcard metacharacters, and empty names;
   - enforce a sensible maximum length;
   - validate before any path or command assembly.
7. Canonicalize the constructed log path and verify it stays inside the
   intended log directory. Reject any path that escapes the boundary.
8. Where product behavior allows, stop accepting user-defined log filenames for
   command construction and generate server-owned identifiers instead.
9. Review adjacent wrapper inputs such as `dofile_path` and any other values
   embedded into Stata command strings. Apply the same structured validation or
   mapping approach where needed.
10. Add regression tests that do not execute attacker commands:
    - vulnerable versions are absent;
    - malformed `log_file_name` values are rejected;
    - path traversal is rejected;
    - safe names still produce expected logging behavior;
    - logs and error messages do not leak datasets, paths, or credentials.
11. Add a PR body section named `CVE-2026-47708 operator actions` that states:
    - `stata-mcp` versions before and after;
    - whether user-controlled log filenames were previously accepted;
    - whether adjacent wrapper parameters required hardening;
    - which sensitive datasets, files, or credentials may have been reachable;
    - whether log cleanup, credential rotation, or artifact review is needed;
    - which validation commands passed.
12. Run available validation: dependency install, unit tests, lint/typecheck,
    CLI tests, MCP-tool tests, container build, SBOM refresh, and
    dependency/security scans.
13. Use PR title:
    `fix(sec): remediate CVE-2026-47708 in stata-mcp`.

## Stop conditions

- No affected `stata-mcp` dependency, wrapper, or runtime is controlled by this
  repository.
- The vulnerable runtime is owned by another team or platform; document owner
  and required version in `TRIAGE.md`.
- A safe fix would require broader redesign outside repository ownership.
- Verification would require executing shell or Python payloads, probing
  sensitive files, or exposing real datasets.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades stata-mcp, validates log names and paths, removes command-string interpolation for user-controlled values, adds regression tests, and documents cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, exposed MCP tools, log path boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not execute shell, Python, destructive Stata commands, or tests against real sensitive datasets.

Verification - what the reviewer looks for

  • No controlled environment, image, lockfile, or manifest resolves stata-mcp <1.17.3.
  • log_file_name is validated before both path construction and command construction.
  • Canonicalized log paths cannot escape the intended log directory.
  • Adjacent wrapper parameters that reach Stata command strings are reviewed and hardened where necessary.
  • Operator notes cover any needed log cleanup or credential review.

Watch for

  • Fixing the package version while a local fork or vendored wrapper still constructs commands unsafely.
  • Validating only shell metacharacters but missing path traversal or newline injection.
  • Checking the path after the command string is already built.
  • Logging rejected user input verbatim when it may contain sensitive paths or exploit strings.

References