CVE-2025-67364
Description
fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in fast-filesystem-mcp 3.4.0 allows attackers to bypass directory restrictions by using symlinks that are not resolved to their real paths during validation.
Vulnerability
Overview
CVE-2025-67364 is a critical path traversal vulnerability in fast-filesystem-mcp version 3.4.0, a high-performance Model Context Protocol (MCP) server for filesystem access. The flaw resides in the safePath and isPathAllowed functions within utils.ts, which use path.resolve() to validate file paths. This method does not resolve symbolic links to their actual physical paths, allowing an oversight that allows attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths [1][3].
Exploitation
Mechanism
An attacker with the ability to create symbolic links (e.g., via a write operation within an allowed directory) can craft a symlink that points to a sensitive file outside the permitted scope. When a file operation tool such as fast_read_file is invoked with a path that traverses through this symlink, the validation check (startsWith on the allowed directory) passes because the symlink itself resides within the allowed directory. However, the underlying file system call (e.g., fs.open()) follows the symlink and accesses the target file, effectively circumventing the intended access controls [1][3].
Impact
Successful exploitation allows an attacker to read, and potentially modify or delete, files outside the configured allowed directories. This can lead to unauthorized access to sensitive system files, configuration data, or user data, depending on the server's permissions and the attacker's ability to create symlinks [1].
Mitigation
Status
As of the publication date, the vulnerability is present in version 3.4.0. The official GitHub repository for fast-filesystem-mcp [2] does not indicate a patched version in the provided references. Users are advised to monitor the project for updates and apply any security patches as soon as a fix is released. In the interim, restricting the ability to create symlinks within allowed directories or using a more robust path validation method (e.g., fs.realpathSync()) can mitigate the risk [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-filesystem-mcpnpm | <= 3.4.0 | — |
Affected products
2v2.7.0, v2.7.1, v3.3.2, …+ 1 more
- (no CPE)range: v2.7.0, v2.7.1, v3.3.2, …
- (no CPE)range: = 3.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.