Submit #813980: debugmcp mcp-debugger 3e83906c8358965efd683c734e94a75d338400fa Path Traversalinfo

Titledebugmcp mcp-debugger 3e83906c8358965efd683c734e94a75d338400fa Path Traversal
DescriptionA path traversal / arbitrary file read issue exists in debugmcp/mcp-debugger (tested on commit 3e83906c8358965efd683c734e94a75d338400fa). The source-context flow accepts user-controlled file input via handleGetSourceContext. In host mode, resolvePathForRuntime returns input paths unchanged, and the effective path reaches filesystem operations (readFile/stat/pathExists) without workspace boundary enforcement. This allows unauthorized reading of arbitrary absolute filesystem paths.
Source⚠️ https://github.com/hyk6225/public_exp/issues/1
User
 Anonymous User
Submission04/27/2026 09:26 (3 months ago)
Moderation05/24/2026 10:58 (27 days later)
StatusAccepted
VulDB entry365448 [debugmcp mcp-debugger up to 0.20.0 src/server.ts handleGetSourceContext path traversal]
Points20

Interested in the pricing of exploits?

See the underground prices here!