Two high-severity vulnerabilities in Anthropic’s Mannequin Context Protocol (MCP) Filesystem Server allow attackers to flee sandbox restrictions and execute arbitrary code on host techniques.
The vulnerabilities, designated CVE-2025-53109 and CVE-2025-53110, have an effect on all variations previous to 0.6.3 and characterize a big safety danger as MCP adoption accelerates throughout enterprise environments the place AI functions typically run with elevated privileges.
Key Takeaways1. CVE-2025-53109 (CVSS 8.4) and CVE-2025-53110 (CVSS 7.3) had been found in Anthropic’s MCP Filesystem Server, permitting sandbox escape.2. Naive prefix matching lets attackers entry directories outdoors the allowed scope by crafting paths with shared prefixes.3. Symbolic hyperlinks bypass all restrictions, enabling filesystem-wide entry and arbitrary code execution through Launch Brokers.4. Replace to npm model 2025.7.1 instantly – launched July 1, 2025, to repair each vulnerabilities.
Listing Containment Bypass (CVE-2025-53110)
The primary vulnerability, CVE-2025-53110 (CVSS Rating 7.3), exploits a listing containment bypass via naive prefix-matching validation.
The Filesystem MCP Server makes use of a easy begin with a verify to confirm if requested paths fall inside allowed directories.
Researchers demonstrated that an attacker can entry directories like /personal/tmp/allow_dir_sensitive_credentials when the allowed listing is /personal/tmp/allow_dir, because the malicious path begins with the authorised prefix.
Symlink Bypass to Code Execution (CVE-2025-53109)
The second, extra extreme vulnerability CVE-2025-53109 (CVSS Rating 8.4) leverages symbolic hyperlink manipulation to realize full filesystem entry.
Attackers can create symbolic hyperlinks pointing to delicate system information like /and so forth/sudoers. Whereas the server makes an attempt to validate symlink targets via fs.realpath(), flawed error dealing with within the catch block permits the bypass to succeed.
Cymulate Analysis Labs stories that the assault chain works by first exploiting the prefix vulnerability to create a listing named /personal/tmp/allow_dir_evil, then inserting a symlink inside pointing to restricted information.
When validation fails on the symlink goal, the code incorrectly validates the mother or father listing of the symlink itself moderately than the goal, enabling a whole safety bypass.
Past file entry, researchers demonstrated how these vulnerabilities allow arbitrary code execution via macOS Launch Brokers.
By writing malicious .plist information to places like /Customers/username/Library/LaunchAgents/, attackers can obtain persistent code execution with consumer privileges at login.
CVEsDescriptionAffected ProductsCVSS 3.1 ScoreCVE-2025-53110Directory containment bypass permitting unauthorized file entry outdoors the sandbox.Anthropic MCP Filesystem Server variations previous to 0.6.3 and 2025.7.17.3 (Excessive)CVE-2025-53109Symlink bypass enabling full filesystem entry.Anthropic MCP Filesystem Server variations previous to 0.6.3 and 2025.7.18.4 (Excessive)
Anthropic has launched patches in model 2025.7.1 addressing each vulnerabilities.
Organizations ought to instantly improve their MCP implementations and apply the precept of least privilege to restrict potential exploitation influence.
The invention highlights the significance of rigorous safety validation as AI techniques achieve deeper integration with crucial infrastructure and delicate information techniques.
Examine stay malware habits, hint each step of an assault, and make sooner, smarter safety choices -> Strive ANY.RUN now
