PT-2026-60900 · Npm · Mcp-Memory-Keeper
CVE-2026-54561
·
Publicado
2026-07-17
·
Atualizado
2026-07-17
CVSS v3.1
6.2
Média
| Vetor | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact
context import passed the caller-supplied filePath directly to fs.readFileSync with no path confinement. A malicious MCP client — or an LLM agent that is prompt-injected into calling the tool — could point filePath at any file readable by the server process, outside any session or export directory:- Full disclosure (JSON files): a valid-JSON target (e.g. another user's exported session, or a
*.jsoncredential / service-account file) is parsed and imported into the caller's session, then retrievable verbatim viacontext get/context export. - Partial disclosure (any file): for a non-JSON target (e.g.
/etc/passwd, an SSH key, a.env),JSON.parsethrows and V8 includes a snippet of the file's leading bytes in theSyntaxErrormessage, which was returned verbatim to the caller.
Both
../ traversal and absolute paths worked — there was no path confinement of any kind.In a typical MCP deployment the server runs on the developer's machine, so the reachable set includes other users' exported memory sessions, JSON credential/config files, and (in leading-bytes form)
.env files, SSH keys, and /etc/passwd. The trigger is a tool argument, so the realistic threat model is an LLM agent prompt-injected into calling context import, or any MCP client connected to the server.Patches
Fixed in 0.13.0 (PR #36):
- Imports are confined to a server-owned exports directory (
<DATA DIR>/exports, overridable viaMEMORY KEEPER EXPORT DIR), resolved withrealpathSync.../traversal, absolute paths outside the directory, and symlink escapes are all rejected. - File read and
JSON.parseare separate operations; read/parse failures return a generic message and never echo file bytes (theSyntaxError-message leak is gone). The database-write path is likewise generic. - An E2E security regression suite covers the reported arbitrary-read and traversal vectors, plus symlink escape, the directory-prefix boundary, and a no-existence-oracle check.
Workarounds
Upgrade to
>= 0.13.0. There is no configuration-only workaround for affected versions.Resources
- Report: GitHub issue #35
- Fix: PR #36
Credit
Reported by Zhihao Zhang (@mcfly-zzh).
Correção
Generation of Error Message Containing Sensitive Information
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Mcp-Memory-Keeper