| Título | tugcantopaloglu godot-mcp 2.0.0 Path Traversal |
|---|
| Descripción | A vulnerability was found in tugcantopaloglu/godot-mcp 2.0.0. The issue affects the MCP tool run_project and the parameter projectPath.
The run_project tool accepts a caller-controlled projectPath and performs persistent filesystem modifications under that path. The current path validation only rejects literal ".." substrings, but it does not restrict the path to a trusted workspace, configured project root, current working directory, or user-approved directory. A plain absolute path to any writable local Godot project is accepted if the directory contains a project.godot file.
When run_project is called, the server invokes injectInteractionServer(projectPath) before launching Godot. This function copies mcp_interaction_server.gd into the target project directory and modifies the target project's project.godot file to add an autoload entry for McpInteractionServer. These writes occur before Godot is spawned, so the issue is reproducible even if Godot is not installed or if Godot later fails to launch.
An MCP client that can call run_project can therefore cause the MCP server process to persistently modify an arbitrary writable local Godot project accessible to the server user. The modification creates mcp_interaction_server.gd, modifies project.godot, and adds an autoload entry. When the victim later opens or runs the modified Godot project, Godot automatically loads the injected script.
The injected script is security-relevant because it contains a localhost TCP runtime-control channel and eval-capable GDScript primitives. In the public reproduction, the injected script listened on 127.0.0.1:9090 and contained a command dispatcher using GDScript.new().
Affected component: build/index.js
Affected tool: run_project
Affected parameter: projectPath
Affected package version: 2.0.0
CWE: CWE-22 / CWE-732 / CWE-284
CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Suggested severity: Medium
Suggested remediation: enforce a strict workspace boundary before any filesystem write is performed. Resolve projectPath with realpath and require it to remain inside an operator-configured trusted workspace or an explicitly user-approved Godot project root. Reject absolute paths, traversal attempts, and symlink escapes that resolve outside the trusted root. The tool should also disclose and require confirmation before performing persistent project modifications such as adding autoload entries. |
|---|
| Fuente | ⚠️ https://github.com/tugcantopaloglu/godot-mcp/issues/9 |
|---|
| Usuario | Mcfly_Zhang (UID 98877) |
|---|
| Sumisión | 2026-06-10 02:12 (hace 1 mes) |
|---|
| Moderación | 2026-07-12 13:37 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 377851 [tugcantopaloglu godot-mcp 2.0.0 run_project build/index.js validatePath projectPath recorrido de directorios] |
|---|
| Puntos | 20 |
|---|