提出 #854531: lamaalrajih kicad-mcp 3.3.1 Information Disclosure情報

タイトルlamaalrajih kicad-mcp 3.3.1 Information Disclosure
説明A vulnerability was found in lamaalrajih/kicad-mcp 3.3.1. The issue affects multiple MCP tools that accept caller-controlled project_path or schematic_path arguments. The project includes a PathValidator implementation intended to prevent path traversal and restrict file operations to safe directories. However, this validator is not applied to the path-taking MCP tool handlers in kicad_mcp/tools/. As a result, these handlers pass caller-controlled paths directly to os.path.exists(), open(), os.listdir(), and related filesystem operations. The strongest confirmed primitive is directory enumeration through get_project_structure. This tool computes the directory from the caller-supplied project_path and enumerates files in that directory that match KiCad-related extension patterns such as .kicad_pro, .kicad_sch, .kicad_pcb, .net, and .csv. In the public reproduction, calling get_project_structure with project_path="/etc/passwd" caused the server to return information derived from /etc/, including a matched .net file. Other affected tools, including validate_project and netlist extraction tools, can also be made to attempt to open attacker-chosen paths. The full file body is not generally returned to the caller, but filesystem reachability and parse outcomes are observable. This creates a filesystem probing and permission oracle for process-readable or process-searchable paths. The confirmed impact is filesystem reachability probing and directory enumeration outside the intended KiCad project boundary. This is security-relevant because the project already implements and tests a PathValidator for this purpose, but the MCP tool entry points do not apply it. In MCP deployments, tool arguments may be supplied by an MCP-aware client or selected by an AI assistant influenced by untrusted project content or prompt injection. Affected package: kicad-mcp Affected version: 3.3.1 Affected commit: 98c9ea41cb393393a8bafd157a93e84431e00afb Affected directory: kicad_mcp/tools/ Affected tools include: analyze_bom, analyze_project_circuit_patterns, analyze_schematic_connections, export_bom_csv, extract_project_netlist, extract_schematic_netlist, find_component_connections, generate_pcb_thumbnail, generate_project_thumbnail, get_drc_history_tool, get_project_structure, identify_circuit_patterns, open_project, run_drc_check, validate_project Affected parameters: project_path, schematic_path CWE: CWE-693 / CWE-22 / CWE-200 CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Suggested severity: Medium Suggested remediation: apply the existing PathValidator to every MCP tool entry point that accepts project_path or schematic_path before any filesystem operation. Resolve paths canonically and enforce containment within an operator-configured trusted KiCad workspace or explicitly approved project root. Reject absolute paths, traversal attempts, and symlink escapes outside the trusted root. Directory enumeration helpers should also enforce containment at the repository layer as defense in depth.
ソース⚠️ https://github.com/lamaalrajih/kicad-mcp/issues/57
ユーザー Mcfly_Zhang (UID 98877)
送信2026年06月10日 02:40 (1 月 ago)
モデレーション2026年07月12日 14:53 (1 month later)
ステータス承諾済み
VulDBエントリ377866 [lamaalrajih kicad-mcp 迄 3.3.1 path_validator.py project_path/schematic_path 特権昇格]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!