CVE-2025-67366

Exploit

EPSS 0.07%
Veröffentlicht 07.01.2026 00:00:00
Zuletzt bearbeitet 29.01.2026 01:02:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sylphx ≫ Filesystem-mcp Version0.5.8 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.215

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/sylphxltd/filesystem-mcp/issues/134

Third Party Advisory

Exploit

https://github.com/sylphxltd/filesystem-mcp

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-67366

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67366

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67366

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-67366