# Summary of Arbitrary JSON Write Vulnerability in `sqlite-mcp` `extract_to_json` ## Vulnerability Overview A path traversal vulnerability exists in the `extract_to_json` tool within the `sqlite-mcp` project. This tool allows users to write SQLite database contents to any JSON path writable by the service account by controlling the `output_filename` parameter, without normalizing the path or restricting it to the database directory. ## Impact Scope * **Affected Versions**: 0.1.0 * **Vulnerability Type**: CWE-73 (External Control of File Name or Path) * **CVSS Score**: 9.1 (Critical) * **Exploitation Prerequisites**: 1. Ability to invoke the `extract_to_json` MCP tool. 2. The service account has write permissions to the target path. 3. The target SQLite database exists. ## Remediation 1. **Restrict Export Directory**: Limit exports to a fixed, allowed directory (similar to the implementation of `backup_database`). 2. **Path Normalization**: Normalize the target path and reject paths containing `..` or other sequences attempting to escape the export root directory. 3. **Code Implementation Recommendations**: * Use `os.path.abspath` or `Path.resolve()` to handle paths. * Enforce parent boundary checks before opening the file. * Validate `table_name` to prevent SQL injection. ## POC Code ```json { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "extract_to_json", "arguments": { "table_name": "sqlite_master", "output_filename": "../../../../../tmp/sqlite_mcp.dump" } } } ```