Submit #803081: eiceblue spire-pdf-mcp-server 0.1.1 Path Traversalinfo

Titleeiceblue spire-pdf-mcp-server 0.1.1 Path Traversal
Descriptionspire-pdf-mcp-server advertises PDF_FILES_PATH as the directory for managed PDF files. The server nonetheless resolves user-supplied paths with a helper that explicitly returns absolute paths unchanged and blindly joins relative paths to PDF_FILES_PATH without normalization or containment checks. As a result, callers can escape the configured PDF directory with payloads such as ../../../../tmp/poc.pdf or /tmp/poc.pdf. Multiple exposed tools then operate on that escaped path, allowing arbitrary PDF creation, arbitrary PDF conversion to attacker-chosen output locations, and arbitrary reads of existing host PDFs that the service account can access.
Source⚠️ https://github.com/eiceblue/spire-pdf-mcp-server/issues/1
User
 LittleW (UID 97283)
Submission04/12/2026 12:05 (3 months ago)
Moderation04/28/2026 15:00 (16 days later)
StatusAccepted
VulDB entry359963 [eiceblue spire-pdf-mcp-server 0.1.1 PDF File server.py get_pdf_path filepath path traversal]
Points20

Do you know our Splunk app?

Download it now for free!