šŸ¦„ Node.js Security

~ 3 min read

A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server

share on
MCP Servers are increasingly popular for AI-driven workflows. However, I discovered a directory traversal vulnerability in the Mastra AI Frameworks MCP Server that could expose sensitive information. This article explores the flaw, its exploitation, and mitigation strategies.

This is a write-up on a security advisory that I disclosed to the Mastra AI framework and their MCP Server that serves documentation and was found to be vulnerable to directory traversal vulnerability. The affected Mastra AI component is the MCP Server project available as an npm package: @mastra/mcp-docs-server.

The @mastra/mcp-docs-server package, a critical component for AI-driven documentation workflows, has been identified to contain a directory traversal vulnerability in versions 0.13.18 and below. This flaw allows unauthorized directory listing, potentially exposing sensitive information. This advisory details the vulnerability, its exploitation, impact, and recommended mitigations.

mastra ai framework cve information exposure and path traversal

Technical Root Cause

The vulnerability stems from a logical flaw in the execute function of the @mastra/mcp-docs-server package. Although the readMdxContent function includes a security check to prevent path traversal, this check is bypassed due to subsequent logic that attempts to find directory suggestions without proper validation.

Code Analysis

The readMdxContent function attempts to validate paths:

async function readMdxContent(docPath: string, queryKeywords: string[]): Promise<ReadMdxResult> {
  const fullPath = path.resolve(path.join(docsBaseDir, docPath));
  if (!fullPath.startsWith(path.resolve(docsBaseDir))) {
    void logger.error(`Path traversal attempt detected`);
    return { found: false };
  }
  // ...
}

However, the execute function continues processing even when a path traversal is detected:

execute: async (args: DocsInput) => {
  // ...
  const result = await readMdxContent(path, queryKeywords);
  if (result.found) {
    return { /* ... */ };
  }


  // VULNERABILITY: This code executes even after a path traversal attempt is detected
  const directorySuggestions = await findNearestDirectory(path, availablePaths);
  const contentBasedSuggestions = await getMatchingPaths(path, queryKeywords, docsBaseDir);
  return {
    path,
    content: null,
    error: [directorySuggestions, contentBasedSuggestions].join('\n\n'),
  };
}

This oversight allows the use of unvalidated paths for directory listing, effectively nullifying the initial security check.

Exploitation

An attacker can exploit this vulnerability through prompt injection in AI coding assistants like Cursor IDE. By crafting a prompt that instructs the AI agent to use a traversal path, the attacker can trick the tool into listing directories outside its intended scope.

Proof of Concept

  1. Configure Cursor IDE: Define the Mastra MCP server in the .cursor/mcp.json file:

    {
      "mcpServers": {
        "mastra": {
          "command": "npx",
          "args": ["-y", "@mastra/mcp-docs-server"]
        }
      }
    }

  2. Enable the MCP server within the IDE.

  3. Initiate a new chat and use a malicious prompt to exploit the vulnerability.

  4. Observe the output, which will contain the directory listing from the root of the userā€™s home directory.

Following is a video demonstration of the exploitation process:

Recommendation

To mitigate this vulnerability, the following changes are recommended:

  1. Halt Execution on Failure: Modify the execute function to stop processing if a path traversal is detected:

    const result = await readMdxContent(path, queryKeywords);
    if (!result.found) {
      return {
        path,
        content: null,
        error: "Path not found or access denied.",
      };
    }

  2. Defense-in-Depth: Apply path validation logic to the findNearestDirectory function to ensure it cannot operate outside the intended base directory.

CVE Details

  • Recommended CWE: CWE-548: Exposure of Information Through Directory Listing, resulting from an incomplete fix for CWE-22: Improper Limitation of a Pathname to a Restricted Directory (ā€˜Path Traversalā€™).
  • Recommended CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit

This vulnerability was disclosed by Liran Tal, a recognized expert in application security and open-source tooling.

References

For further updates and security research, follow Liran Tal on Twitter and explore more on GitHub.

Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.

    Built with ConvertKit