Overview
Path traversal vulnerability in the filesystem-mcp module allows escaping configured directory boundaries to read or write arbitrary files on the host system.
Who Is Affected
Reported by SentinelOne. Affects users of the filesystem-mcp package who rely on its directory scoping to restrict MCP agent file access.
Where It Exists
The vulnerability is in the filesystem-mcp module's path validation logic. The module is designed to restrict file operations to configured directories but fails to properly validate paths containing traversal sequences.
When It Was Found
Disclosed in January 2026 by SentinelOne as part of a broader MCP server vulnerability assessment.
How It Works
An attacker provides file paths containing directory traversal sequences (../) that escape the configured root directory. The insufficient path validation allows reading files anywhere on the filesystem that the server process has access to. This can be triggered directly or via prompt injection in documents the agent processes.
Impact
Escape from configured directory boundaries. Attackers can read sensitive files (credentials, source code, configuration) and potentially write files outside the intended scope. Combined with other vulnerabilities (like the Anthropic Git chain), path traversal can be a key step in achieving full RCE.
Mitigation
Implement strict path canonicalization before all file operations. Resolve all symbolic links and normalize path components. Use chroot or filesystem namespaces as defense-in-depth. Validate that the canonicalized absolute path starts with the configured root directory prefix.