| عنوان | WilliamCloudQi matlab-mcp-server Commit ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca Path Traversal |
|---|
| الوصف | An arbitrary file write vulnerability (CWE-22) has been identified in matlab-mcp-server, specifically within src/index.ts. The generate_matlab_code and execute_matlab_code MCP tools accept a user-supplied scriptPath argument and use it directly as a filesystem write target without enforcing a safe base directory, rejecting absolute paths, or restricting parent-directory traversal. An attacker with network access to the MCP interface can write attacker-influenced content to arbitrary filesystem paths writable by the server process, potentially leading to integrity loss, configuration corruption, or further compromise. Commit ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca is confirmed affected, and no fixed version is available at the time of reporting. |
|---|
| المصدر | ⚠️ https://github.com/WilliamCloudQi/matlab-mcp-server/issues/8 |
|---|
| المستخدم | BruceJin (UID 96538) |
|---|
| ارسال | 11/04/2026 07:29 PM (2 أشهر منذ) |
|---|
| الاعتدال | 28/04/2026 07:42 AM (17 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 359927 [WilliamCloudQi matlab-mcp-server حتى ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca MCP Interface src/index.ts generate_matlab_code/execute_matlab_code scriptPath اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|