SecuriTricks - CVE-2025-53109

Description

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Product(s) Impacted

Vendor	Product	Versions
Filesystem	Filesystem	<0.6.4, 0.6.4, 2025.7.01

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	filesystem	filesystem	<0.6.4	/	/	/	/	/	/	/
a	filesystem	filesystem	0.6.4	/	/	/	/	/	/	/
a	filesystem	filesystem	2025.7.01	/	/	/	/	/	/	/

References

https://github.com/modelcontextprotocol/servers/commit/d00c60df9d74dba8a3bb13113f8904407cda594f

https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-q66q-fx2p-7w4m

CVSS Score

7.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: PRESENT
Privileges Required: NONE
User Interaction: PASSIVE
Scope:
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: July 2, 2025, 3:15 p.m.
Last Modified: July 3, 2025, 3:13 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-53109