Submit #803488: florensiawidjaja BioinfoMCP 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 Path Traversalinfo

Titleflorensiawidjaja BioinfoMCP 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 Path Traversal
DescriptionThe web-facing BioinfoMCP platform exposes POST /upload for converting uploaded manuals into generated MCP server artifacts. The route reads the uploaded file object from request.files, takes its client-supplied filename verbatim, and writes it using f.save(os.path.join("uploads", f.filename)). Because the multipart filename field is attacker-controlled, an absolute path such as /tmp/bioinfomcp_poc.pdf overrides the intended uploads/ directory entirely, and traversal sequences can also escape it. The route then passes that attacker-chosen saved path into scripts/do_sth.py, so the unsafe path is not only written but also treated as the input artifact for the rest of the conversion workflow.
Source⚠️ https://github.com/florensiawidjaja/BioinfoMCP/issues/2
User
 LittleW (UID 97283)
Submission04/13/2026 11:15 (3 months ago)
Moderation04/29/2026 13:18 (16 days later)
StatusAccepted
VulDB entry360122 [florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 Upload Endpoint app.py upload Name path traversal]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!