| 제목 | Deepractice PromptX 2.4.0 Improper Authorization |
|---|
| 설명 | An arbitrary local file read vulnerability (CWE-862) has been identified in @promptx/mcp-office of PromptX, specifically within packages/mcp-office/src/index.ts. Multiple MCP tools—including read_docx, read_xlsx, read_pptx, list_xlsx_sheets, and read_pdf—accept a user-supplied path argument and use it directly in filesystem operations such as fs.readFileSync and AdmZip without workspace-boundary enforcement or allowlisting. An attacker with access to the mcp-office server can read arbitrary Office or PDF files from any location on the local filesystem by providing an absolute path outside the intended workspace. Version 2.4.0 is confirmed affected, and no fixed version is available at the time of reporting.
|
|---|
| 원천 | ⚠️ https://github.com/Deepractice/PromptX/issues/571 |
|---|
| 사용자 | BruceJin (UID 96538) |
|---|
| 제출 | 2026. 04. 10. PM 04:00 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 04. 27. PM 05:24 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 359817 [Deepractice PromptX 까지 2.4.0 Document File index.ts path 정보 공개] |
|---|
| 포인트들 | 20 |
|---|