CVE-2025-67364

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-67364
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67364.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67364
Aliases
Published
2026-01-07T17:16:01.723Z
Modified
2026-03-13T03:42:05.643646Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fastreadfile. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files.

References

Affected packages

Git / github.com/efforthye/fast-filesystem-mcp

Affected ranges

Type
GIT
Repo
https://github.com/efforthye/fast-filesystem-mcp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c3e7e78959ada1f1389a5f356872b581f9b14916
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.4.0"
        }
    ]
}

Affected versions

v2.*
v2.7.0
v2.7.1
v3.*
v3.3.2
v3.3.3
v3.4.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67364.json"