Download Latest Version
v1.4.2 - Enhanced Docs _ Config source code.tar.gz (41.4 kB)
Get an email when there's a new version of iOS Simulator MCP
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2025-06-20 | 1.8 kB | |
| v1.3.3 - Cmd Injection Security Hardening source code.tar.gz | 2025-06-20 | 38.8 kB | |
| v1.3.3 - Cmd Injection Security Hardening source code.zip | 2025-06-20 | 42.4 kB | |
| Totals: 3 Items | 82.9 kB | 0 | |
iOS Simulator MCP v1.3.3
[!WARNING]
Security Notice: This release addresses a command injection vulnerability (moderate severity) present in versions < 1.3.3. Please update tov1.3.3or later. This vulnerability is described in Snyks article on Exploiting MCP Servers Vulnerable to Command Injection.
Security Fixes
- Patched Command Injection Vulnerability: Replaced
child_process.execwith the more securechild_process.execFile. This mitigates command injection risks by ensuring user-provided inputs are treated as distinct arguments and not interpreted by the shell, following best practices from the Node.js security community. - Strict Input Validation: Implemented robust input validation using
zodfor all user-provided arguments, including regex checks for UDIDs and length limits for paths and text. - Secure Argument Handling: Added a
--separator to commands to clearly distinguish options from positional arguments, preventing misinterpretation by the shell.
Affected Tools
The following tools have been secured:
- ui_tap
- ui_type
- ui_swipe
- ui_describe_point
- ui_describe_all
- screenshot
- record_video
- stop_recording
Documentation
- Updated
SECURITY.md: The security policy was updated with details about the vulnerability, its impact, and the fix. - Added
QA.md: A new Quality Assurance guide (QA.md) was added with manual test cases. - Updated
README.md: The README now includes a prominent security notice and updated installation instructions.
Build
- Version Bump: The project version has been bumped to
1.3.3.