CVE-2026-47708 - stata-mcp log_file_name command injection
stata-mcp before 1.17.3 embedded the user-supplied log_file_name
parameter directly into a Stata command string. The advisory says the guard
layer inspected do-file content but did not validate this wrapper parameter, so
an attacker could inject arbitrary Stata commands such as shell, python, or
destructive file operations by breaking out of the quoted log path. The same
parameter also allowed path traversal outside the intended log directory.
This is an agent-wrapper problem, not just a Stata-script problem. A safe fix upgrades the package, validates wrapper parameters before command construction, verifies resolved paths stay inside the log directory, and avoids trusting user-chosen file names where an internal generated identifier would work.
When to use it
Use this recipe when a repository, MCP server catalog, desktop agent profile,
or analytics workbench installs or wraps stata-mcp. It is built for source
code remediation, MCP tool argument hardening, command-injection review, and
audit evidence that user-controlled log names cannot escape the intended log
directory or reach Stata command execution.
Inputs
stata-mcppackage version, lockfile, MCP config, wrapper command, log directory configuration, and all places that setlog_file_name.- Source paths that build Stata command strings, validate do-file content, normalize paths, or create logs.
- Safe fixtures for quoted names, path traversal, shell-like payload strings, and expected reject/accept decisions.
- Evidence of runtime reach: project files, data exports, credentials, temporary directories, and any shell/Python capabilities exposed through Stata.
Affected versions
- Vulnerable package:
stata-mcp <1.17.3 - Fixed package:
stata-mcp 1.17.3+ - Affected API/CLI surface:
stata_dotool and CLIstata-mcp tool do - Affected parameter:
log_file_name - Related weakness: path traversal via generated log path
Indicator-of-exposure
- The repository depends on, vendors, forks, or deploys
stata-mcp <1.17.3. - An MCP server, CLI wrapper, notebook, service, or automation accepts
untrusted or tenant-controlled
log_file_nameinput. - The same service executes Stata with filesystem, shell, Python integration, or network authority that matters if command injection occurs.
- Product code builds command strings for Stata or another interpreter from user-controlled filenames, do-file paths, or wrapper parameters.
- The environment stores API keys, tenant data, research datasets, or local files accessible to the Stata process.
Quick checks:
rg -n "stata-mcp|stata_do|log_file_name|generate_log_file|generate_log_command|_execute_unix_like|_execute_windows|GuardValidator|dofile_path" .
pip show stata-mcp
python -m pip show stata-mcp
uv pip show stata-mcp
rg -n "shell|python|log using|stata_do|tool do|log_file_name" scripts .github Dockerfile* compose*.yml . 2>/dev/null
Windows:
rg -n "stata-mcp|stata_do|log_file_name|generate_log_file|generate_log_command|_execute_unix_like|_execute_windows|GuardValidator|dofile_path" .
pip show stata-mcp
python -m pip show stata-mcp
uv pip show stata-mcp
rg -n "shell|python|log using|stata_do|tool do|log_file_name" scripts .github Dockerfile* compose*.yml .
Do not send crafted log_file_name payloads to a live Stata runtime, execute
shell commands through Stata during triage, or inspect sensitive log output.
Remediation strategy
- Upgrade every controlled
stata-mcpdependency, lockfile, container image, dev environment, and SBOM to1.17.3+. - Apply strict allow-list validation to
log_file_name: only safe characters, bounded length, and no quotes, separators, path traversal, whitespace control characters, or Stata command delimiters. - Resolve the generated log path and verify it remains inside the intended log directory before constructing any command string.
- Prefer generated internal log filenames (UUIDs or server-created names) over caller-controlled names when possible.
- Review related command-string surfaces such as
dofile_pathor any wrapper parameter later interpolated into Stata commands. - Rotate credentials or review artifacts if the Stata runtime had access to sensitive datasets, local files, or shell-capable integrations during the exposure window.
The prompt
You are remediating CVE-2026-47708 / GHSA-4p62-hqp5-g644, a critical
`stata-mcp` command-injection and path-traversal issue caused by unsafe
`log_file_name` handling. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades `stata-mcp`, validates
log-file parameters and paths, hardens adjacent wrapper inputs, refreshes
generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected `stata-mcp`
runtime, dependency, wrapper, image, or deployment.
## Rules
- Scope only CVE-2026-47708 / GHSA-4p62-hqp5-g644 and directly related
`stata-mcp` wrapper hardening.
- Treat datasets, local files, API keys, notebooks, tenant data, generated
logs, shell execution capability, and Stata/Python integration points as
sensitive.
- Do not execute exploit payloads, `shell` commands, `python` commands, or
path-traversal probes through Stata during validation.
- Do not print sensitive dataset content, logs, local file contents, or
credentials in diagnostics or commits.
- Do not rely on do-file scanning alone as the fix; wrapper parameters must be
validated before command construction.
- Do not auto-merge.
## Steps
1. Inventory every repository-controlled `stata-mcp` reference: dependency
manifests, lockfiles, Dockerfiles, Compose files, notebooks, MCP configs,
wrappers, scripts, CI jobs, SBOMs, generated dependency reports, and docs.
2. Determine every resolved `stata-mcp` version. A target is vulnerable if it
resolves below `1.17.3`.
3. Search for all wrapper inputs that flow into Stata command strings:
`log_file_name`, `dofile_path`, `generate_log_command`,
`generate_log_file`, `_execute_unix_like`, `_execute_windows`,
`GuardValidator`, and any custom wrapper layers.
4. If the repository does not control an affected runtime or wrapper, stop with
`TRIAGE.md` listing checked files, runtime owner if known, and required
fixed version `1.17.3+`.
5. Upgrade all controlled `stata-mcp` references to `1.17.3+`. Refresh
lockfiles, environment specs, container images, SBOMs, dependency reports,
and docs that pin the vulnerable version.
6. Add fail-closed input validation:
- allow only approved characters for `log_file_name`;
- reject quotes, semicolons, newlines, carriage returns, tabs, path
separators, dot-dot traversal, wildcard metacharacters, and empty names;
- enforce a sensible maximum length;
- validate before any path or command assembly.
7. Canonicalize the constructed log path and verify it stays inside the
intended log directory. Reject any path that escapes the boundary.
8. Where product behavior allows, stop accepting user-defined log filenames for
command construction and generate server-owned identifiers instead.
9. Review adjacent wrapper inputs such as `dofile_path` and any other values
embedded into Stata command strings. Apply the same structured validation or
mapping approach where needed.
10. Add regression tests that do not execute attacker commands:
- vulnerable versions are absent;
- malformed `log_file_name` values are rejected;
- path traversal is rejected;
- safe names still produce expected logging behavior;
- logs and error messages do not leak datasets, paths, or credentials.
11. Add a PR body section named `CVE-2026-47708 operator actions` that states:
- `stata-mcp` versions before and after;
- whether user-controlled log filenames were previously accepted;
- whether adjacent wrapper parameters required hardening;
- which sensitive datasets, files, or credentials may have been reachable;
- whether log cleanup, credential rotation, or artifact review is needed;
- which validation commands passed.
12. Run available validation: dependency install, unit tests, lint/typecheck,
CLI tests, MCP-tool tests, container build, SBOM refresh, and
dependency/security scans.
13. Use PR title:
`fix(sec): remediate CVE-2026-47708 in stata-mcp`.
## Stop conditions
- No affected `stata-mcp` dependency, wrapper, or runtime is controlled by this
repository.
- The vulnerable runtime is owned by another team or platform; document owner
and required version in `TRIAGE.md`.
- A safe fix would require broader redesign outside repository ownership.
- Verification would require executing shell or Python payloads, probing
sensitive files, or exposing real datasets.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades
stata-mcp, validates log names and paths, removes command-string interpolation for user-controlled values, adds regression tests, and documents cleanup. - Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, exposed MCP tools, log path boundary, required fix, and residual risk. - The output must include exact validation commands and must not execute shell, Python, destructive Stata commands, or tests against real sensitive datasets.
Verification - what the reviewer looks for
- No controlled environment, image, lockfile, or manifest resolves
stata-mcp <1.17.3. log_file_nameis validated before both path construction and command construction.- Canonicalized log paths cannot escape the intended log directory.
- Adjacent wrapper parameters that reach Stata command strings are reviewed and hardened where necessary.
- Operator notes cover any needed log cleanup or credential review.
Watch for
- Fixing the package version while a local fork or vendored wrapper still constructs commands unsafely.
- Validating only shell metacharacters but missing path traversal or newline injection.
- Checking the path after the command string is already built.
- Logging rejected user input verbatim when it may contain sensitive paths or exploit strings.
Related recipes
- Source code injection sink audit
- Source code attack surface map
- Source code secrets and data exposure audit
- SAST finding triage and fix
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-4p62-hqp5-g644
- OSV advisory mirror: https://test.osv.dev/vulnerability/GHSA-4p62-hqp5-g644
- Fix commit: https://github.com/SepineTam/stata-mcp/commit/e6f945941ae0c7cf5e74a428e0b3dc82b396382f