Axle-Bucamp MCP-Docusaurus Path Traversal Vulnerability

A path traversal vulnerability has been identified in Axle-Bucamp MCP-Docusaurus versions prior to commit 404bc028e15ec304c9a045528560f4b5f27a17e0. The issue arises in the document management functions of the FastAPI application, specifically within 'app/routes/document.py'. The vulnerability allows for manipulation of the 'path' argument, enabling attackers to traverse directories and access files outside the intended documentation root. This could lead to unauthorized reading, modification, or deletion of files, depending on the existence and type of the targeted file.

Impact

Exploitation of this vulnerability allows for path traversal, enabling access to sensitive files outside the designated documentation directory. This could result in unauthorized reading, modification, or deletion of files, depending on the actions taken with the traversed paths.

Reproduction

To reproduce this vulnerability, upload the application to a server and start the MCP service. Then, submit a traversal payload by manipulating the 'path' argument in the document update, continuation, or deletion functions. This can be done through the MCP API by invoking the respective tools with the crafted path that includes traversal sequences, such as '../', to access files outside the intended directory.

Remediation

The vulnerability can be addressed by applying canonical path validation to all document-related functions that perform file operations. This includes enforcing strict containment checks before reading, writing, or deleting files, and rejecting traversal patterns, absolute paths, and symlink escape scenarios.