CVE-2025-67364 — HIGH (7.5)

Vulnerability Description

fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Efforthye	Fast-Filesystem-Mcp	3.4.0

Related Weaknesses (CWE)

CWE-24

References

https://github.com/efforthye/fast-filesystem-mcpProduct
https://github.com/efforthye/fast-filesystem-mcp/issues/10ExploitIssue Tracking

FAQ

What is CVE-2025-67364?

CVE-2025-67364 is a vulnerability with a CVSS score of 7.5 (HIGH). fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fa...

How severe is CVE-2025-67364?

CVE-2025-67364 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-67364?

Check the references section above for vendor advisories and patch information. Affected products include: Efforthye Fast-Filesystem-Mcp.