PT-2026-60900 · Npm · Mcp-Memory-Keeper

CVE-2026-54561

·

Publicado

2026-07-17

·

Atualizado

2026-07-17

CVSS v3.1

6.2

Média

VetorAV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact

context import passed the caller-supplied filePath directly to fs.readFileSync with no path confinement. A malicious MCP client — or an LLM agent that is prompt-injected into calling the tool — could point filePath at any file readable by the server process, outside any session or export directory:
  • Full disclosure (JSON files): a valid-JSON target (e.g. another user's exported session, or a *.json credential / service-account file) is parsed and imported into the caller's session, then retrievable verbatim via context get / context export.
  • Partial disclosure (any file): for a non-JSON target (e.g. /etc/passwd, an SSH key, a .env), JSON.parse throws and V8 includes a snippet of the file's leading bytes in the SyntaxError message, which was returned verbatim to the caller.
Both ../ traversal and absolute paths worked — there was no path confinement of any kind.
In a typical MCP deployment the server runs on the developer's machine, so the reachable set includes other users' exported memory sessions, JSON credential/config files, and (in leading-bytes form) .env files, SSH keys, and /etc/passwd. The trigger is a tool argument, so the realistic threat model is an LLM agent prompt-injected into calling context import, or any MCP client connected to the server.

Patches

Fixed in 0.13.0 (PR #36):
  • Imports are confined to a server-owned exports directory (<DATA DIR>/exports, overridable via MEMORY KEEPER EXPORT DIR), resolved with realpathSync. ../ traversal, absolute paths outside the directory, and symlink escapes are all rejected.
  • File read and JSON.parse are separate operations; read/parse failures return a generic message and never echo file bytes (the SyntaxError-message leak is gone). The database-write path is likewise generic.
  • An E2E security regression suite covers the reported arbitrary-read and traversal vectors, plus symlink escape, the directory-prefix boundary, and a no-existence-oracle check.

Workarounds

Upgrade to >= 0.13.0. There is no configuration-only workaround for affected versions.

Resources

  • Report: GitHub issue #35
  • Fix: PR #36

Credit

Reported by Zhihao Zhang (@mcfly-zzh).

Correção

Generation of Error Message Containing Sensitive Information

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54561
GHSA-F7WF-V2VW-MPCX

Produtos afetados

Mcp-Memory-Keeper