Submit #808085: huangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversalinfo

Titlehuangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversal
DescriptionA path traversal vulnerability (CWE-22) exists in huangjunsen0406/xiaozhi-mcphub 1.0.3. The DXT upload handler in src/controllers/dxtController.ts extracts .dxt archives and uses the name field from the untrusted manifest.json file to construct the extraction path using path.join. Because this value is not sanitized, an authenticated attacker can use traversal sequences (e.g., ../../) to extract files to arbitrary locations outside the intended directory.
Source⚠️ https://github.com/ccccccctiiiiiiii-lab/public_exp/issues/10
User
 cccccccti (UID 96695)
Submission04/20/2026 09:46 (3 months ago)
Moderation05/16/2026 11:57 (26 days later)
StatusDuplicate
VulDB entry361904 [huangjunsen0406 xiaozhi-mcphub up to 1.0.3 dxtController.ts manifest.name path traversal]
Points0

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!