MCP Research Server Path Traversal Vulnerability (CWE-22) with POC

MCP Research Server Theme Path Traversal / Arbitrary JSON File Write Vulnerability #1 Vulnerability Overview Vulnerability Type: Path Traversal (CWE-22) Vulnerability Description: When storing arXiv search results, in MCP Research Server is hardcoded to "papers". The tool incorrectly reuses the user-controlled string as a filesystem directory name. Technical Root Cause: 1. The tool accepts unconstrained search terms. 2. The same untrusted string is used as a directory name. 3. The derived path is created and written within the result storage path without boundary enforcement. 4. Audit Conclusion: This is a confirmed path traversal vulnerability. Scope of Impact Affected Versions: 0.1.8 Affected Scope: Revisions that construct the storage path from the original . Fixed Version: Not available at the time of reporting (April 10, 2026). Remediation Temporary Mitigations: - Treat as a search query; do not use it directly as a filesystem path component. - Generate secure server-side storage keys for each search, or strictly sanitize before constructing the path. - Parse candidate paths and verify that they remain within . Recommended Fixes: - Replace the current directory derivation with filename-safe encoding or generated identifiers. - Add boundary checks to ensure all result files remain within . - Add regression tests for , absolute paths, and mixed delimiter variants. - Re-audit related resource handlers, as they also derive paths from user-controlled values. Proof of Concept (POC) Code Attack Prerequisites Ability to invoke the exposed MCP tool. The service account must have write permissions to the attacker-selected destination directory. The server must be able to complete the arXiv request path used by . Security Impact Confidentiality: Low. This specific exploitation is primarily a file primitive rather than direct arbitrary reading. Integrity: High. Attackers can create or overwrite JSON files outside the directory. Availability: Medium. Attackers can fill arbitrary writable directories or corrupt JSON files used by adjacent tools. Scope: Unchanged. CVSS v3.1 Recommendations Recommended Vector: Recommended Base Score: 8.1 (High) Note: If only trusted authenticated users can invoke the MCP interface, adjust PR accordingly. References Repository: https://github.com/elle/mcp-research-server Source Files Reviewed: CWE-22: https://cwe.mitre.org/data/definitions/22.html Credits Discoverer: kinegee Discovery Method: Static analysis (CodeQL) combined with manual source code audit and exploit construction. Additional Notes Audit Conclusion: Vulnerability confirmed. SARIF Results Reviewed: Total count for this repository/rule group 6. Confirmed Issue: Path-based write of outside . Dynamic Exploitation Replay Status: The PoC is a request verified from this audit batch, constructed to the sink path.

Goal Reached Thanks to every supporter — we hit 100%!

MCP Research Server Path Traversal Vulnerability (CWE-22) with POC

More from this source