CVE-2025-53110

HIGH

Modelcontextprotocol Server-filesystem - Path Traversal

Title source: rule

Description

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-hc55-p739-j48w

Patch x_refsource_misc

https://github.com/modelcontextprotocol/servers/commit/cc99bdabdcad93a58877c5f3ab20e21d4394423d

View Patch ZIP pw:eip

Scores

CVSS v4 7.3

EPSS 0.0031

EPSS Percentile 54.4%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

modelcontextprotocol/server-filesystem 0npm

modelcontextprotocol/servers < 0.6.4

modelcontextprotocol/servers < 2025.7.01

Published Jul 02, 2025

Tracked Since Feb 18, 2026