| 标题 | ZachHandley ZMCPTools 0.2.2 Path Traversal |
|---|
| 描述 | A path traversal vulnerability (CWE-22) has been identified in ZMCPTools version 0.2.2, specifically within the MCP log resource handling code in src/managers/ResourceManager.ts. The resources/read handler accepts a user-controlled logs://{dirname}/content?file={filename} URI and constructs a filesystem path without validating that the resolved path remains under the intended log directory. An attacker with access to the MCP interface can supply ../ sequences in the dirname parameter to read arbitrary local files accessible to the server process, such as /etc/hosts. No fixed version is available at the time of reporting. |
|---|
| 来源 | ⚠️ https://github.com/ZachHandley/ZMCPTools/issues/8 |
|---|
| 用户 | _Eternity_ (UID 97332) |
|---|
| 提交 | 2026-04-14 04時45分 (2 月前) |
|---|
| 管理 | 2026-04-29 18時53分 (16 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360186 [ZachHandley ZMCPTools 直到 0.2.2 MCP Log Resource ResourceManager.ts dirname 目录遍历] |
|---|
| 积分 | 20 |
|---|