Security Policy
This document outlines the security policy for the iOS Simulator MCP server, including supported versions and information on fixed vulnerabilities.
Supported Versions
Security updates are applied to the latest versions of the project. Please ensure you are using a supported version to receive security patches.
| Version | Supported |
|---|---|
| >= 1.3.3 | :white_check_mark: |
| < 1.3.3 | :x: |
Fixed Vulnerabilities
Command Injection (Fixed in v1.3.3)
- Severity: Moderate
- Fixed in: v1.3.3
Description: Versions prior to 1.3.3 contained command injection vulnerabilities in several MCP tools (ui_tap, ui_type, ui_swipe, ui_describe_point, ui_describe_all, screenshot, record_video, stop_recording). The vulnerability was caused by unsafe shell command construction using string interpolation with user-provided inputs.
Impact: Malicious input could potentially lead to the execution of arbitrary commands on the host system where the MCP server is running.
Fix: The issue was resolved by replacing unsafe execAsync calls that used string interpolation with secure execFile calls, which pass arguments as an array. This prevents the shell from interpreting user input as commands. Additional input validation was also implemented.
Reporting a Vulnerability
We take security seriously. If you believe you have found a security vulnerability, please report it to us responsibly.
To report an issue, please use the "Report a Vulnerability" tab under the Security section of the project's GitHub repository.
- You can expect an initial response to your report within 48 hours.
- We will keep you informed about the progress of addressing the vulnerability.
- We will work with you to coordinate a disclosure timeline.
- You will be credited for the discovery unless you prefer to remain anonymous.