## MCP Server Vulnerability: Unrestricted Path Traversal Exposes Local Filesystem to Malicious Clients
A critical security flaw in the MCP (Model Context Protocol) server grants malicious clients unrestricted read access to the entire local filesystem. The vulnerability stems from a complete absence of path traversal containment or validation on tool parameters. Any MCP tool that accepts a `path` argument—including `analyze_project`, `analyze_file`, and `get_debt_summary`—performs no security checks beyond verifying the input is a non-empty string. This oversight creates a direct pipeline for data exfiltration.

The impact is severe. A malicious client can supply any file path readable by the process owner, such as `/etc/passwd` or `~/.ssh/id_rsa`. The `readFile` function in `src/utils/fileUtils.ts` is a direct, unsanitized call to `fs.promises.readFile(filePath, 'utf-8')`. Consequently, the `analyze_file` tool will read the specified file and return its contents in the response, constituting a complete read-anywhere vulnerability. The core failure points are `src/server/inputParser.ts`, which only validates string presence, and the aforementioned `fileUtils.ts`.

This vulnerability places any system running the affected MCP server at immediate risk of credential theft, configuration exposure, and sensitive data leakage. The suggested fix involves enforcing that all caller-supplied paths are absolute, normalized, and validated against a secure base directory before any file operations are permitted. Until patched, the server effectively operates with a high-privilege backdoor accessible to any connected client.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, path traversal, data leakage, MCP
- **Credibility**: unverified
- **Published**: 2026-04-06 06:27:01
- **ID**: 51086
- **URL**: https://whisperx.ai/en/intel/51086