Listen to this Post
Three vulnerabilities are fixed in `[email protected]`:
- Insufficient local path policy enforcement in transfer‑related filesystem handling – Access control that should block writes to protected directories (e.g.,
/etc,/root) can be bypassed by using the tool’s own file‑transfer functions instead of generic filesystem APIs. - Incomplete canonicalization and segment‑boundary handling for deny‑prefix path policy checks – The path sanitizer fails to normalize all forms of `..` (e.g., `….//` or URL‑encoded variants) and does not correctly enforce boundaries, so a request like `GET /transfer/../etc/shadow` could evade a `deny‑prefix` rule that was meant to block access to
/etc. - Non‑constant‑time HTTP bearer token comparison – The token validation routine uses a simple byte‑by‑byte comparison that returns early at the first mismatch, creating a measurable timing difference in the HTTP response. This side channel can be exploited by an attacker to leak the token character by character.
DailyCVE Form
Platform: nodejs/npm
Version: <2.1.1
Vulnerability: path+timing bypass
Severity: High
date: 2026-05-08
Prediction: 2026-06-15
What Undercode Say
Detect vulnerable deployments npm list mcp-ssh-tool | grep "mcp-ssh-tool@" || echo "Package not found" Upgrade to patched version npm install -g mcp-ssh-tool@latest Verify upgrade succeeded mcp-ssh-tool --version | grep -q "2.1.1" && echo "Patched" || echo "Vulnerable"
How Exploit
- Path traversal bypass – Send a file‑transfer request using non‑canonical `..` sequences (e.g.,
....//,%2e%2e%2f) to a path like/transfer/....//etc/shadow. The incomplete canonicalization will resolve this to `/etc/shadow` while the deny‑prefix check only sees the malformed string. - Timing side channel – Inject a crafted bearer token and measure response times. By changing one character at a time and comparing round‑trip latencies, the correct token can be recovered byte by byte.
Protection from this CVE
- Immediate – Patch to ≥2.1.1. If not possible:
- Bind HTTP transport only to `127.0.0.1` (no remote exposure).
- Use strict filesystem policies (e.g., read‑only mounts for sensitive paths).
- Revoke MCP client access to local transfer directories.
- Enable audit logging and monitor for unusual transfer operations.
- Detection – Scan for any `GET /transfer/` requests containing
..,%2e, or unusual encoding. For timing attacks, compare anomaly detection on request/response latency across bearer token attempts.
Impact
- Confidentiality – An attacker can read arbitrary files outside allowed transfer paths, including SSH keys, configuration files, and credentials. The timing side channel can recover bearer tokens, leading to full authentication bypass.
- Integrity – Write operations may be similarly bypassed, allowing unauthorized file modifications or planting of malicious content.
- Availability – Not directly affected, but token compromise may enable further disruptive actions.
- Attack complexity – Low for path traversal (single HTTP request); moderate for timing attack (requires network proximity and multiple requests).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
