| शीर्षक | ryanjoachim mcp-rtfm 0.1.0, Commit 054fe515735cb477d4640c20930c04b243e443fc Path Traversal |
|---|
| विवरण | A path traversal vulnerability (CWE-22) has been identified in mcp-rtfm version 0.1.0, specifically within the get_doc_content, read_doc, and update_doc MCP tools. The tools construct filesystem paths by interpolating a user‑supplied docFile value into a string without normalization or boundary checks, allowing ../ sequences to escape the intended .handoff_docs directory. An attacker with network access to the MCP interface can read or modify arbitrary files accessible to the server process, leading to data exposure, integrity loss, and potential service disruption. No fixed version is available at the time of reporting. |
|---|
| स्रोत | ⚠️ https://github.com/ryanjoachim/mcp-rtfm/issues/5 |
|---|
| उपयोगकर्ता | BruceJqs (UID 97404) |
|---|
| सबमिशन | 18/04/2026 07:41 AM (2 महीनों पहले) |
|---|
| संयम | 03/05/2026 06:01 PM (15 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360903 [ryanjoachim mcp-rtfm 0.1.0 MCP Interface get_doc_content/read_doc/update_doc docFile निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 20 |
|---|