| tiêu đề | Flux159 mcp-game-asset-gen 0.1.0 Path Traversal |
|---|
| Mô tả | An arbitrary file write vulnerability (CWE-73) has been identified in mcp-game-asset-gen version 0.1.0, specifically within the image_to_3d_async MCP tool in src/index.ts and src/providers/model3dHelpers.ts. The tool accepts a user‑supplied statusFile argument and writes application‑generated JSON status data to that path without validating that the destination resides inside a safe output directory. An attacker with network access to the MCP interface can create or overwrite files at arbitrary writable filesystem locations, potentially corrupting application files, logs, or configuration data. No fixed version is available at the time of reporting. |
|---|
| Nguồn | ⚠️ https://github.com/Flux159/mcp-game-asset-gen/issues/3 |
|---|
| Người dùng | _Eternity_ (UID 97332) |
|---|
| Đệ trình | 15/04/2026 04:50 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 01/05/2026 11:45 (16 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360547 [Flux159 mcp-game-asset-gen 0.1.0 MCP Interface src/index.ts image_to_3d_async statusFile duyệt thư mục] |
|---|
| điểm | 20 |
|---|