PT-2026-41604 · Npm · Mcp-Ssh-Tool
Published
2026-05-07
·
Updated
2026-05-07
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
mcp-ssh-tool has released version 2.1.1 with security hardening for transfer path authorization and HTTP bearer authentication.The release addresses:
- insufficient local path policy enforcement in transfer-related filesystem handling
- incomplete canonicalization and segment-boundary handling for deny-prefix path policy checks
- non-constant-time HTTP bearer token comparison
Impact
Affected versions may allow policy bypass in transfer path handling under specific configurations, and may expose a timing side channel in bearer-token comparison for HTTP deployments.
Patched Version
Upgrade to
mcp-ssh-tool >= 2.1.1.bash
npm install -g mcp-ssh-tool@latestWorkarounds
For deployments that cannot immediately upgrade:
- avoid exposing HTTP transport beyond loopback
- use strict filesystem policy configuration
- avoid granting MCP clients access to sensitive local transfer paths
- monitor audit logs for unexpected transfer operations
Credits
Reported by
dodge1218.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mcp-Ssh-Tool