| tiêu đề | Dayoooun hwpx-mcp Commit 87850fd67f0488d79fcbf061a29938cae914a15d Path Traversal |
|---|
| Mô tả | An arbitrary file write vulnerability (CWE-73) has been identified in hwpx-mcp-server version 0.2.0 (commit 87850fd), specifically within the save_document, export_to_text, and export_to_html MCP tools. The server accepts caller‑controlled output_path arguments and writes to those paths without validating that the destination resides inside a safe workspace, allowing parent‑directory traversal or absolute paths. An attacker with network access to the MCP interface can create or overwrite files at arbitrary locations writable by the server process, leading to integrity loss, configuration corruption, or denial of service. No fixed version is available at the time of reporting. |
|---|
| Nguồn | ⚠️ https://github.com/Dayoooun/hwpx-mcp/issues/3 |
|---|
| Người dùng | _Eternity_ (UID 97332) |
|---|
| Đệ trình | 15/04/2026 10:21 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 01/05/2026 12:47 (16 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360556 [Dayoooun hwpx-mcp 0.2.0 MCP Interface mcp-server/src/index.ts save_document/export_to_text/export_to_html output_path duyệt thư mục] |
|---|
| điểm | 20 |
|---|