CVE-2025-66689

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Zen MCP Server versions prior to 9.8.2

Description A path traversal issue exists that allows authenticated attackers to read arbitrary files on the system. The issue is due to flawed logic in the is dangerous path() validation function, which uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths.

Recommendations Update Zen MCP Server to version 9.8.2 or later.

Exploit

Fix

Files Accessible to External Parties

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-552CWE-22

Related Identifiers

CVE-2025-66689

Affected Products

Zen Mcp Server

CVE-2025-66689

Weakness Enumeration

Related Identifiers

Affected Products

References · 6