제출 #854523: tugcantopaloglu godot-mcp 2.0.0 Path Traversal정보

제목tugcantopaloglu godot-mcp 2.0.0 Path Traversal
설명A vulnerability was found in tugcantopaloglu/godot-mcp 2.0.0. The issue affects the MCP tool run_project and the parameter projectPath. The run_project tool accepts a caller-controlled projectPath and performs persistent filesystem modifications under that path. The current path validation only rejects literal ".." substrings, but it does not restrict the path to a trusted workspace, configured project root, current working directory, or user-approved directory. A plain absolute path to any writable local Godot project is accepted if the directory contains a project.godot file. When run_project is called, the server invokes injectInteractionServer(projectPath) before launching Godot. This function copies mcp_interaction_server.gd into the target project directory and modifies the target project's project.godot file to add an autoload entry for McpInteractionServer. These writes occur before Godot is spawned, so the issue is reproducible even if Godot is not installed or if Godot later fails to launch. An MCP client that can call run_project can therefore cause the MCP server process to persistently modify an arbitrary writable local Godot project accessible to the server user. The modification creates mcp_interaction_server.gd, modifies project.godot, and adds an autoload entry. When the victim later opens or runs the modified Godot project, Godot automatically loads the injected script. The injected script is security-relevant because it contains a localhost TCP runtime-control channel and eval-capable GDScript primitives. In the public reproduction, the injected script listened on 127.0.0.1:9090 and contained a command dispatcher using GDScript.new(). Affected component: build/index.js Affected tool: run_project Affected parameter: projectPath Affected package version: 2.0.0 CWE: CWE-22 / CWE-732 / CWE-284 CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L Suggested severity: Medium Suggested remediation: enforce a strict workspace boundary before any filesystem write is performed. Resolve projectPath with realpath and require it to remain inside an operator-configured trusted workspace or an explicitly user-approved Godot project root. Reject absolute paths, traversal attempts, and symlink escapes that resolve outside the trusted root. The tool should also disclose and require confirmation before performing persistent project modifications such as adding autoload entries.
원천⚠️ https://github.com/tugcantopaloglu/godot-mcp/issues/9
사용자 Mcfly_Zhang (UID 98877)
제출2026. 06. 10. AM 02:12 (1 월 ago)
모더레이션2026. 07. 12. PM 01:37 (1 month later)
상태수락
VulDB 항목377851 [tugcantopaloglu godot-mcp 2.0.0 run_project build/index.js validatePath projectPath 디렉토리 순회]
포인트들20

Do you need the next level of professionalism?

Upgrade your account now!