| Title | florensiawidjaja BioinfoMCP 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 Path Traversal |
|---|
| Description | The web-facing BioinfoMCP platform exposes POST /upload for converting uploaded manuals into generated MCP server artifacts. The route reads the uploaded file object from request.files, takes its client-supplied filename verbatim, and writes it using f.save(os.path.join("uploads", f.filename)).
Because the multipart filename field is attacker-controlled, an absolute path such as /tmp/bioinfomcp_poc.pdf overrides the intended uploads/ directory entirely, and traversal sequences can also escape it. The route then passes that attacker-chosen saved path into scripts/do_sth.py, so the unsafe path is not only written but also treated as the input artifact for the rest of the conversion workflow.
|
|---|
| Source | ⚠️ https://github.com/florensiawidjaja/BioinfoMCP/issues/2 |
|---|
| User | LittleW (UID 97283) |
|---|
| Submission | 04/13/2026 11:15 (3 months ago) |
|---|
| Moderation | 04/29/2026 13:18 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 360122 [florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 Upload Endpoint app.py upload Name path traversal] |
|---|
| Points | 20 |
|---|