@sylphxltd/filesystem-mcp Path Traversal Vulnerability in read_content Tool

A critical path traversal vulnerability has been identified in version 0.5.8 of the @sylphxltd/filesystem-mcp package. This vulnerability allows attackers to bypass project root directory restrictions by exploiting symbolic links, enabling access to files outside the intended operational scope. The issue stems from improper handling of symlinks in the path validation process: the 'resolvePath' function checks path validity before resolving symlinks, while 'fs.readFile' automatically resolves them during file access. As a result, attackers can create or use symlinks within the allowed directory that point to external files, circumventing directory restrictions and gaining unauthorized access to those files.

Impact

Exploitation of this vulnerability allows for unauthorized access to files outside the project's designated directory, potentially leading to exposure of sensitive information or system files.

Reproduction

To reproduce this vulnerability, create a symbolic link within the project directory that points to a file outside the allowed access path. Then, use the 'read_content' tool to request the symlinked file. The server will bypass the project root restrictions and return the contents of the external file, demonstrating the path traversal vulnerability.

Remediation

Users can update to version 0.6.0 or later, where this vulnerability has been fixed.