Donchelo Processing-Claude MCP Bridge Path Traversal Vulnerability in Create Sketch Tool

A path traversal vulnerability has been identified in the Donchelo Processing-Claude MCP Bridge application, specifically in the create_sketch tool of the processing_server.py file, in the version prior to e017b20a4b592a45531a6392f494007f04e661bd. The vulnerability arises because the application concatenates the user-supplied sketch_name directly into filesystem paths without proper validation, allowing for traversal sequences to escape the intended directory. This manipulation can be exploited remotely, with the published exploit creating files outside the designated Processing sketch directory on the user's Desktop.

Impact

Exploitation of this vulnerability allows for arbitrary file creation and overwriting outside the intended Processing sketch directory, potentially leading to corruption of existing files or interference with user content in other locations.

Reproduction

To reproduce this vulnerability, send an MCP request that invokes the create_sketch or update_sketch method. Include a sketch_name parameter that contains traversal sequences, such as ..\..\Desktop\evil, which will escape the default Processing sketch directory and create files on the Desktop.

Remediation

Until the vulnerability is addressed, do not expose the create_sketch or update_sketch methods to untrusted callers. If temporary use is necessary, restrict the sketch_name parameter to a conservative allowlist of characters. Consider running the MCP server with a low-privilege account and storing sketches in a directory that does not contain sensitive sibling paths.