Submit #806913: ravenwits mcp-server-arangodb 0.4.7 Path Traversalinfo

Titleravenwits mcp-server-arangodb 0.4.7 Path Traversal
DescriptionAn arbitrary file write vulnerability (CWE-73) has been identified in mcp-server-arangodb version 0.4.7 (commit 3964a1f), specifically within the arango_backup MCP tool. The tool accepts a user‑supplied outputDir argument, resolves it with path.resolve, creates the directory, and writes JSON backup files there without constraining the destination to a safe backup root or validating path traversal. An attacker with network access to the MCP interface can write database backup files to arbitrary writable filesystem locations, leading to integrity loss and potential service disruption. No fixed version is available at the time of reporting.
Source⚠️ https://github.com/ravenwits/mcp-server-arangodb/issues/7
User
 BruceJqs (UID 97404)
Submission04/17/2026 10:05 (3 months ago)
Moderation05/03/2026 10:01 (16 days later)
StatusAccepted
VulDB entry360891 [ravenwits mcp-server-arangodb up to 0.4.7 MCP Interface src/tools.ts arango_backup outputDir path traversal]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!