| शीर्षक | AgiFlow @agiflowai/scaffold-mcp 1.0.27 Path Traversal |
|---|
| विवरण | An arbitrary file write vulnerability (CWE-22) has been identified in the write-to-file tool of @agiflowai/scaffold-mcp (version 1.0.27). The tool accepts a user-supplied file_path argument and writes attacker-controlled content to that path after resolving absolute paths as-is or relative paths against the current working directory, without enforcing any workspace or base-directory boundary. An attacker with access to the MCP interface can write or overwrite arbitrary files writable by the server process, potentially leading to integrity loss, configuration corruption, or further compromise. No fixed version is available at the time of reporting. |
|---|
| स्रोत | ⚠️ https://github.com/AgiFlow/aicode-toolkit/issues/88 |
|---|
| उपयोगकर्ता | BruceJin (UID 96538) |
|---|
| सबमिशन | 11/04/2026 11:49 AM (2 महीनों पहले) |
|---|
| संयम | 27/04/2026 07:17 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 359845 [AgiFlow scaffold-mcp तक 1.0.27 write-to-file Tool index.ts file_path निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 20 |
|---|