CVE-2025-67366 in filesystem-mcp
Summary
by MITRE • 01/07/2026
@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/07/2026
The vulnerability identified as CVE-2025-67366 affects the @sylphxltd/filesystem-mcp package version 0.5.8, which serves as an MCP server implementing file content reading capabilities. This critical security flaw stems from a fundamental design flaw in the path validation mechanism that governs file access operations. The system's resolvePath function performs validation checks before resolving symbolic links, creating a window of opportunity for attackers to exploit the discrepancy between validation and actual file access. This architectural inconsistency represents a classic security anti-pattern that violates the principle of least privilege and proper input sanitization. The vulnerability specifically impacts the read_content tool functionality, which forms a core component of the server's file access capabilities, making it a critical attack vector for unauthorized information disclosure.
The technical exploitation of this vulnerability occurs through a sophisticated symlink manipulation technique that bypasses the intended directory restrictions. When the resolvePath function validates a path, it operates on the unresolved symbolic link, allowing maliciously crafted symlinks to pass validation while the underlying fs.readFile function automatically resolves these links during actual file access. This creates a dangerous race condition where the system's validation logic fails to account for the dynamic nature of symbolic links. The vulnerability is classified under CWE-22 as Path Traversal, specifically manifesting as improper symlink handling within a directory traversal context. Attackers can create symlinks within the allowed directory that point to files outside the intended operational scope, effectively circumventing access controls. The flaw demonstrates a fundamental misunderstanding of how symbolic links interact with path validation mechanisms, representing a common but critical oversight in security design.
The operational impact of this vulnerability extends beyond simple unauthorized file access, creating potential for extensive data breaches and system compromise. An attacker with access to the MCP server could leverage this vulnerability to read sensitive files from the system's filesystem, potentially including configuration files, credentials, application data, or system logs. The attack surface is particularly concerning because it operates within a server environment where file access controls are expected to be strictly enforced. This vulnerability could enable attackers to escalate privileges, gather intelligence for further attacks, or exfiltrate sensitive information. The critical nature of this flaw means that any system running version 0.5.8 of the filesystem-mcp package is immediately at risk, with no distinction between internal and external attack vectors. The vulnerability aligns with ATT&CK technique T1083 (File and Directory Discovery) and T1566 (Phishing) as attackers could use this to gather information for more sophisticated attacks. Organizations utilizing this package should immediately assess their exposure and implement emergency mitigations to prevent potential data breaches.
Mitigation strategies for CVE-2025-67366 must address the core architectural flaw in the symlink handling mechanism. The most effective immediate solution involves modifying the resolvePath function to fully resolve symbolic links before performing any validation checks, ensuring that validation operates on the actual resolved paths rather than the potentially deceptive symbolic link targets. Organizations should implement comprehensive path validation that explicitly handles and rejects symbolic links within the allowed directory scope, preventing the creation of malicious symlinks that could bypass access controls. Additionally, the system should enforce strict file access controls using absolute paths and implement proper sandboxing techniques to isolate file access operations. The recommended approach aligns with security best practices outlined in NIST SP 800-128 and ISO/IEC 27001, emphasizing the importance of proper input validation and access control implementation. Regular security audits should verify that symbolic link handling is properly configured and that all file access operations adhere to the principle of least privilege. The remediation process should also include updating to patched versions of the filesystem-mcp package when available, while implementing additional monitoring and logging to detect potential exploitation attempts.