Elinsky Execution System MCP Path Traversal Vulnerability

A path traversal vulnerability has been identified in Elinsky Execution System MCP version 0.1.0. The issue arises in the 'add_action' tool, specifically within the '_get_context_file_path' function in 'src/execution_system_mcp/server.py'. The vulnerability allows for manipulation of the 'context' argument, enabling attackers to traverse directories. This flaw can be exploited remotely, and the published exploit may be used.

Impact

Exploitation of this vulnerability allows for unauthorized modification of existing markdown files outside the intended directory, potentially disrupting the user's workflow and related automation.

Reproduction

To reproduce this vulnerability, first ensure that the server is configured with a valid 'execution_system_repo_path' and that an attacker-chosen markdown file exists at '/tmp/esm_poc.md' with writable permissions. Then, send an MCP request using the 'add_action' tool, escaping the 'contexts/' directory through the 'context' field. The request will traverse the directory and modify the targeted file, demonstrating the path traversal vulnerability.

Remediation

It is recommended to restrict the 'context' field to an allowlist of known tags, canonicalize candidate paths to ensure they remain within the designated execution-system directory, and reject any 'file_path' containing traversal tokens or absolute-path markers. Until a fix is released, the server should be restricted to trusted callers.