Edvardlindelof Notes-MCP Path Traversal Vulnerability

A path traversal vulnerability has been identified in Edvard Lindelof's Notes-MCP application, specifically in versions up to 0.1.4. The issue arises in the file 'notes_mcp.py', where the 'root_dir' argument is manipulated, allowing attackers to traverse directories. This vulnerability can be exploited remotely, and a public exploit is available. The project has been notified of this issue but has not yet responded.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations outside the intended notes directory, potentially overwriting important files or deleting them, depending on the user's filesystem permissions.

Reproduction

To reproduce this vulnerability, invoke the 'write' tool of the Notes-MCP server with a traversal path that includes '../' segments. This will escape the configured 'root_dir' and write a file outside the intended directory. The same can be done with the 'read' tool to access arbitrary files outside the notes directory.

Remediation

It is recommended to update the 'notes_mcp.py' file to include path normalization and boundary checks before file operations. Additionally, destructive tools should be disabled in untrusted deployments until a fix is available.