high severityMCP Filesystem server (@modelcontextprotocol/server-filesystem), read_file, list_directory, write_file tools

MCP filesystem server grants access to files/directories outside configured allowed directories if the requested path shares a prefix with an allowed directory (e.g., requesting /private/tmp/allow_dir_secrets succeeds if /private/tmp/allow_dir is allowed), leading to unauthorized reads/writes and potential data leaks.

Root cause

Flawed path validation using simple string prefix matching (normalizedRequested.startsWith(allowedDir)) instead of proper canonicalization and containment checks, allowing access to sibling directories sharing the same prefix (e.g., /allowed/dir vs /allowed/dir-evil).

MCPpath traversalfilesystem-mcpserver-filesystemCVE-2025-53110GHSA-hc55-p739-j48w

Citations

https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-hc55-p739-j48w