This is a write-up on a security advisory that I disclosed to the Mastra AI framework and their MCP Server that serves documentation and was found to be vulnerable to directory traversal vulnerability. The affected Mastra AI component is the MCP Server project available as an npm package: @mastra/mcp-docs-server.
The @mastra/mcp-docs-server package, a critical component for AI-driven documentation workflows, has been identified to contain a directory traversal vulnerability in versions 0.13.18 and below. This flaw allows unauthorized directory listing, potentially exposing sensitive information. This advisory details the vulnerability, its exploitation, impact, and recommended mitigations.
The vulnerability stems from a logical flaw in the execute function of the @mastra/mcp-docs-server package. Although the readMdxContent function includes a security check to prevent path traversal, this check is bypassed due to subsequent logic that attempts to find directory suggestions without proper validation.
The readMdxContent function attempts to validate paths:
async function readMdxContent(docPath: string, queryKeywords: string[]): Promise<ReadMdxResult> {
const fullPath = path.resolve(path.join(docsBaseDir, docPath));
if (!fullPath.startsWith(path.resolve(docsBaseDir))) {
void logger.error(`Path traversal attempt detected`);
return { found: false };
}
// ...
}
However, the execute function continues processing even when a path traversal is detected:
execute: async (args: DocsInput) => {
// ...
const result = await readMdxContent(path, queryKeywords);
if (result.found) {
return { /* ... */ };
}
// VULNERABILITY: This code executes even after a path traversal attempt is detected
const directorySuggestions = await findNearestDirectory(path, availablePaths);
const contentBasedSuggestions = await getMatchingPaths(path, queryKeywords, docsBaseDir);
return {
path,
content: null,
error: [directorySuggestions, contentBasedSuggestions].join('\n\n'),
};
}
This oversight allows the use of unvalidated paths for directory listing, effectively nullifying the initial security check.
An attacker can exploit this vulnerability through prompt injection in AI coding assistants like Cursor IDE. By crafting a prompt that instructs the AI agent to use a traversal path, the attacker can trick the tool into listing directories outside its intended scope.
Configure Cursor IDE: Define the Mastra MCP server in the .cursor/mcp.json file:
{
"mcpServers": {
"mastra": {
"command": "npx",
"args": ["-y", "@mastra/mcp-docs-server"]
}
}
}
Enable the MCP server within the IDE.
Initiate a new chat and use a malicious prompt to exploit the vulnerability.
Observe the output, which will contain the directory listing from the root of the user’s home directory.
Following is a video demonstration of the exploitation process:
To mitigate this vulnerability, the following changes are recommended:
Halt Execution on Failure: Modify the execute function to stop processing if a path traversal is detected:
const result = await readMdxContent(path, queryKeywords);
if (!result.found) {
return {
path,
content: null,
error: "Path not found or access denied.",
};
}
Defense-in-Depth: Apply path validation logic to the findNearestDirectory function to ensure it cannot operate outside the intended base directory.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NThis vulnerability was disclosed by Liran Tal, a recognized expert in application security and open-source tooling.
For further updates and security research, follow Liran Tal on Twitter and explore more on GitHub.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。