mail-mcp-bridge Path Traversal Leading to Arbitrary Directory Deletion

mail-mcp-bridge Path Traversal / Arbitrary Directory Deletion Vulnerability Summary Vulnerability Overview Vulnerability Type: Path Traversal (CWE-22) / External Control of File Name or Path (CWE-73) Vulnerability Description: The tool is intended to delete only temporary extraction directories within the attachment cache root directory. However, the implementation only strips square brackets from the and fails to handle traversal sequences such as . An attacker can construct a malicious , causing the service to recursively delete arbitrary directories under the root directory. Technical Root Cause: 1. The server exposes a cleanup tool that forwards caller-controlled . 2. The default attachment base path is . 3. Each attacker-controlled is normalized only via , without removing traversal tokens. 4. The code enumerates and recursively deletes the resulting path without content checks. 5. The extraction helper has the same root cause when creating directories. Impact Scope Affected Versions: Affected Scope: Revisions containing the same path concatenation behavior. Security Impact: - Confidentiality: Low (cleanup code enumerates files and displays sizes). - Integrity: High (attackers can delete directories outside the cache root). - Availability: High (deleting application data or operator-owned temporary directories may compromise the host or nearby services). - Scope: Unchanged. CVSS v3.1 Recommendation: - Vector: - Base Score: 8.8 (High) Remediation Workarounds / Mitigations: 1. Reject values containing path separators, traversal tokens, or absolute path syntax before using the value as a directory name. 2. Resolve candidate directories and verify they remain within the canonical attachment base directory before calling , , or . 3. Consider using server-generated opaque directory names instead of directly mapping raw values to the filesystem. 4. Restrict access to the attachment management tool before deploying the fix. Recommended Fixes: 1. Apply normalization with root boundary enforcement in and . 2. Treat as untrusted input, even if it resembles email header values; remove path separators, not just strip square brackets. 3. Add regression tests covering payloads such as , , absolute paths, and symlink-based payloads. 4. Return an explicit error when resolving paths outside the attachment cache root directory. Actual Fix Status: Fixed and released in version . - Prevents attachment directory escape from the configured base directory. - Maps Message-ID values to securely encoded directory names while preserving RFC-valid IDs (including IDs containing ). - Restored package-style imports to update modules. - Added regression tests covering traversal-shaped inputs, symlink escapes, Message-IDs containing slashes, and package imports. Proof of Concept (PoC) Code 1. Set Environment Variables 2. Create a Harmless Sibling Directory 3. Send MCP Tool Call 4. Expected Result The assistant calculates . succeeds because the path resolves to . deletes the sibling directory outside of . The JSON response reports the cleaned path similar to , and subsequently disappears.

Goal Reached Thanks to every supporter — we hit 100%!

mail-mcp-bridge Path Traversal Leading to Arbitrary Directory Deletion

More from this source