Geekgod382 Filesystem MCP Server Path Traversal Vulnerability

A path traversal vulnerability has been identified in Geekgod382 Filesystem MCP Server version 1.0.0. The issue arises in the 'is_path_allowed' function within 'server.py', specifically related to the 'read_file_tool' and 'write_file_tool' components. This vulnerability allows for bypassing the 'ALLOWED_PATHS' check, enabling access to files outside the designated root directory. The flaw can be exploited remotely by manipulating file paths to share prefixes with allowed paths, thereby evading restrictions and accessing or modifying unauthorized files.

Impact

Exploitation of this vulnerability allows for arbitrary file read, write, and delete operations outside the intended directory boundaries, potentially leading to unauthorized access or modification of sensitive files.

Reproduction

To reproduce this vulnerability, first ensure that the server is running with the default 'ALLOWED_PATHS' setting, which restricts access to the user's home directory. Then, use a path that shares a prefix with an allowed path but is actually outside the allowed directory. For example, if '/home/alice' is allowed, a path like '/home/alice_backup/loot.txt' can be used to bypass the check. Once the path traversal is successful, the same technique can be applied using the 'read_file_tool' or 'write_file_tool' to access or modify files outside the allowed path.

Remediation

Users are advised to update to version 1.1.0 of Geekgod382 Filesystem MCP Server, where this vulnerability has been fixed.