9 matches found
CVE-2025-67364
CVE-2025-67364 concerns fast-filesystem-mcp 3.4.0, where a path traversal flaw arises in file tools (e.g., fast_read_file) due to improper path validation that fails to resolve symlinks. The safePath/isPathAllowed logic uses path.resolve(), which does not handle symlinks, allowing attackers to pl...
CVE-2025-11489
A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...
CVE-2025-11489
A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...
CVE-2025-11489
A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...
EUVD-2025-33304
A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...
CVE-2025-11489 wonderwhy-er DesktopCommanderMCP filesystem.ts isPathAllowed symlink
A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The...
CVE-2025-11489
CVE-2025-11489 affects wonderwhy-er DesktopCommanderMCP up to 0.2.13. The issue resides in isPathAllowed (src/tools/filesystem.ts) and enables symbolic link following, with local access required and high attack complexity. Publicly disclosed exploitability is noted; vendor guidance recommends usi...
PT-2025-41297
Name of the Vulnerable Software and Affected Versions wonderwhy-er DesktopCommanderMCP versions up to 0.2.13 Description A security issue has been identified in the isPathAllowed function within the src/tools/filesystem.ts file of wonderwhy-er DesktopCommanderMCP. This allows for symlink followin...
Desktop Commander MCP 安全漏洞
Desktop Commander MCP is an MCP server by the individual developer Eduard Ruzga. A security vulnerability exists in Desktop Commander MCP version 0.2.13 and earlier, which stems from the operation of the function isPathAllowed in the file src/tools/filesystem.ts that may result in symbolic link...