fatbobman mail-mcp-bridge Path Traversal Vulnerability Allowing Arbitrary Directory Deletion

A path traversal vulnerability has been identified in fatbobman mail-mcp-bridge versions through 1.3.3. The issue resides in an unknown function within the file src/mail_mcp_server.py. By manipulating the argument message_ids, it is possible to traverse paths and delete directories outside the intended attachment cache root. This vulnerability can be exploited remotely. The extraction flow in extract_attachments.py also contains the same unsafe message_id-to-directory joining behavior, but the cleanup tool provides a more straightforward exploitation path by allowing the deletion of arbitrary directories.

Impact

Exploitation of this vulnerability allows for path traversal, leading to arbitrary deletion of directories outside the application's designated attachment cache. This could result in the loss of important data or disruption of services that rely on the deleted files.

Reproduction

To reproduce this vulnerability, first ensure that the mail-mcp-bridge server is running and has the default attachment base directory set to /tmp/mail-mcp-attachments. Then, create a directory outside the attachment cache root, such as /tmp/mail-mcp-bridge-poc, and place a file in it as a marker. Afterward, send a request to the cleanup_attachments tool with a message_id that includes traversal sequences pointing to the created directory. The server will resolve the path, find the marker file, and delete the entire directory, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to version 1.3.4, which addresses the vulnerability by normalizing Message-ID values, preventing directory traversal, and adding regression tests. The updated version is available on the fatbobman mail-mcp-bridge GitHub releases page.