CVE-2025-11489

Name of the Vulnerable Software and Affected Versions wonderwhy-er DesktopCommanderMCP versions up to 0.2.13

Description A security issue has been identified in the isPathAllowed function within the src/tools/filesystem.ts file of wonderwhy-er DesktopCommanderMCP. This allows for symlink following, potentially leading to unauthorized access or manipulation of files. The attack requires local access and is considered difficult to exploit. The vendor acknowledges that the restriction features are not intended as hardened security boundaries and recommends using Desktop Commander with Docker for enhanced isolation when security is a primary concern. This vulnerability impacts products that are no longer supported by the maintainer.

Recommendations Versions prior to 0.2.14 are affected. Consider using Desktop Commander with Docker, which provides actual isolation.