PT-2026-37305 · Pypi · Wireshark-Mcp

Published

2026-05-05

·

Updated

2026-05-05

·

CVE-2026-43901

CVSS v3.1

6.8

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Description

Impact

wireshark-mcp exposes a wireshark export objects MCP tool that accepts an attacker-controlled dest dir parameter and passes it to tshark's --export-objects flag with no mandatory path restriction.
The path sandbox ( allowed dirs) is None by default and only activates when the environment variable WIRESHARK MCP ALLOWED DIRS is explicitly set. In a default installation, any directory on the filesystem can be used as the export destination.
Affected code (src/wireshark mcp/tshark/client.py:531-543):

output validation = self. validate output path(dest dir)

# validate output path only enforces the sandbox when allowed dirs is set.

# Default: allowed dirs = None → no restriction.

os.makedirs(dest dir, exist ok=True)  # creates arbitrary directories

cmd = [..., "--export-objects", f"{protocol},{dest dir}"]

Attack Scenario

An attacker embeds a crafted HTTP response in a pcap file (e.g. Content-Disposition: filename=authorized keys). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling wireshark export objects with:

dest dir=/home/user/.ssh/
tshark then extracts and writes the HTTP object to that path, granting the attacker SSH access.
The same technique can target:
  • /etc/cron.d/
  • Writable web roots
  • Other sensitive filesystem locations

Additional Affected Operations

The same missing sandbox affects:
  • merge pcap files
  • editcap trim
  • editcap split
  • editcap time shift
  • editcap deduplicate
  • text2pcap import

Proof of Concept

Confirmed on wireshark-mcp v1.1.5 with tshark 4.6.4.
A crafted pcap’s HTTP object was successfully written to an arbitrary filesystem path when:

 allowed dirs = None

Patches

Not yet patched.
A fix should make the path sandbox mandatory for all file-write operations rather than optional:

# Reject all write operations when no sandbox is configured

if not self. allowed dirs:

  return json.dumps({

    "success": False,

    "error": {

      "type": "SecurityError",

      "message": "Set WIRESHARK MCP ALLOWED DIRS before using file-write operations"

    }

  })

Workarounds

Set WIRESHARK MCP ALLOWED DIRS to a restricted safe directory before starting the server:

export WIRESHARK MCP ALLOWED DIRS=/tmp/wireshark mcp safe
This activates the existing sandbox and blocks writes outside the allowed path.

Resources

  • Vulnerable code:
  • src/wireshark mcp/tshark/client.py lines 521–543
  • src/wireshark mcp/tshark/client.py lines 685–839
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory
  • CWE-73: External Control of File Name or Path

Fix

Path traversal

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-43901
GHSA-3R68-X3XC-RXPG

Affected Products

Wireshark-Mcp