Enviar #802120: Deepractice PromptX 2.4.0 Improper Authorizationinformación

TítuloDeepractice PromptX 2.4.0 Improper Authorization
DescripciónAn arbitrary local file read vulnerability (CWE-862) has been identified in @promptx/mcp-office of PromptX, specifically within packages/mcp-office/src/index.ts. Multiple MCP tools—including read_docx, read_xlsx, read_pptx, list_xlsx_sheets, and read_pdf—accept a user-supplied path argument and use it directly in filesystem operations such as fs.readFileSync and AdmZip without workspace-boundary enforcement or allowlisting. An attacker with access to the mcp-office server can read arbitrary Office or PDF files from any location on the local filesystem by providing an absolute path outside the intended workspace. Version 2.4.0 is confirmed affected, and no fixed version is available at the time of reporting.
Fuente⚠️ https://github.com/Deepractice/PromptX/issues/571
Usuario
 BruceJin (UID 96538)
Sumisión2026-04-10 16:00 (hace 2 meses)
Moderación2026-04-27 17:24 (17 days later)
EstadoAceptado
Entrada de VulDB359817 [Deepractice PromptX hasta 2.4.0 Document File index.ts path divulgación de información]
Puntos20

AnteriorVisión De ConjuntoPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!