TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2025-66689

MEDIUM
6.5

Beschreibung

A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths.

CVE Details

CVSS v3.1 Bewertung6.5
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht1/12/2026
Zuletzt geandert1/22/2026
Quellenvd
Honeypot-Sichtungen0

Betroffene Produkte

busymac:pal_mcp_server

Schwachen (CWE)

CWE-22CWE-552

Referenzen

https://github.com/BeehiveInnovations/zen-mcp-server/issues/293(cve@mitre.org)
https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md(cve@mitre.org)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.