| tiêu đề | dazeb cline-mcp-memory-bank 55c81b9cf6c16700983c84dc4cdea3cafa19a75f Path Traversal |
|---|
| Mô tả | The server accepts user-controlled projectPath from MCP request arguments and directly uses it in filesystem path construction. Multiple handlers build paths with path.join(projectPath, ...) and then perform file operations (readFile, writeFile, mkdir, readdir) without enforcing a workspace-root boundary check. This allows path traversal style abuse and may lead to unauthorized file read/write outside the intended project scope.
Screenshot 1 - User-controlled input source (projectPath from args)
<img width="684" height="141" alt="Image" src="https://github.com/user-attachments/assets/924fe519-68ad-4cc5-8862-9227ba5fb823" />
Screenshot 2 - Path construction (path.join(projectPath, ...))
<img width="1020" height="659" alt="Image" src="https://github.com/user-attachments/assets/c20c38c9-4593-4ea8-80e6-88b74c938aa0" />
Screenshot 3 - File operations (fs.readFile / fs.writeFile / fs.mkdir / fs.readdir)
<img width="891" height="629" alt="Image" src="https://github.com/user-attachments/assets/e0248cb3-63fa-4598-bff5-05451249cdbe" /> |
|---|
| Nguồn | ⚠️ https://github.com/dazeb/cline-mcp-memory-bank/issues/5 |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 27/04/2026 10:28 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 24/05/2026 11:01 (27 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 365449 [dazeb cline-mcp-memory-bank đến 55c81b9cf6c16700983c84dc4cdea3cafa19a75f src/index.ts handleInitializeMemoryBank projectPath duyệt thư mục] |
|---|
| điểm | 20 |
|---|