Submeter #804058: ZachHandley ZMCPTools 0.2.2 Path Traversalinformação

TítuloZachHandley ZMCPTools 0.2.2 Path Traversal
DescriçãoA path traversal vulnerability (CWE-22) has been identified in ZMCPTools version 0.2.2, specifically within the MCP log resource handling code in src/managers/ResourceManager.ts. The resources/read handler accepts a user-controlled logs://{dirname}/content?file={filename} URI and constructs a filesystem path without validating that the resolved path remains under the intended log directory. An attacker with access to the MCP interface can supply ../ sequences in the dirname parameter to read arbitrary local files accessible to the server process, such as /etc/hosts. No fixed version is available at the time of reporting.
Fonte⚠️ https://github.com/ZachHandley/ZMCPTools/issues/8
Utilizador
 _Eternity_ (UID 97332)
Submissão14/04/2026 04h45 (há 2 meses)
Moderação29/04/2026 18h53 (16 days later)
EstadoAceite
Entrada VulDB360186 [ZachHandley ZMCPTools até 0.2.2 MCP Log Resource ResourceManager.ts dirname Travessia de Diretório]
Pontos20

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!