Description

@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.

INFO

Published Date :

2026-01-07T00:00:00.000Z

Last Modified :

2026-01-07T17:18:19.832Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67366 vulnerability.

Vendors Products
Sylphx
  • Filesystem-mcp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67366.

URL Resource
https://github.com/sylphxltd/filesystem-mcp cve-icon cve-icon
https://github.com/sylphxltd/filesystem-mcp/issues/134 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact