GHSA-9WHX-C884-C68Q Langflow Knowledge Bases API is Vulnerable to Path Traversal

Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API DELETE /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit thi...

fast-filesystem-mcp has a Path Traversal vulnerability

fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fastreadfile. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed...

CVE-2025-67364

CVE-2025-67364 concerns fast-filesystem-mcp 3.4.0, where a path traversal flaw arises in file tools (e.g., fast_read_file) due to improper path validation that fails to resolve symlinks. The safePath/isPathAllowed logic uses path.resolve(), which does not handle symlinks, allowing attackers to pl...

nodejs: path traversal by monkey-patching buffer internals

A flaw was found in Node.js. The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a buffer, the implementation uses Buffer.from to obtain a buffer from the result of path.resolve. By...

CVE-2024-21896

A flaw was found in Node.js. The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a buffer, the implementation uses Buffer.from to obtain a buffer from the result of path.resolve. By...