CVE-2025-53110

HIGH

Model Context Protocol Servers < 0.6.4 and < 2025.7.01 - Path Traversal

Title source: llm
STIX 2.1

Description

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Scores

CVSS v4 7.3
EPSS 0.0050
EPSS Percentile 39.1%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (3)
modelcontextprotocol/server-filesystem 0npm
modelcontextprotocol/servers < 0.6.4
modelcontextprotocol/servers < 2025.7.01
Published Jul 02, 2025
Tracked Since Feb 18, 2026