# MLops_MCP Arbitrary File Write Vulnerability Summary ## Vulnerability Overview **Vulnerability Name**: MLops_MCP Arbitrary File Write via save_file Destination Escape Vulnerability **Vulnerability ID**: CVE ID Request **Report Date**: April 10, 2026 **Vulnerability Type**: CWE-73 (External Control of File Name or Path) **Severity**: CVSS v3.1 Base Score 8.1 (High) **Core Issue**: The `save_file` MCP tool is intended to save uploaded content into a target folder under the server’s current working directory, but it calculates `dest_path` by directly using `os.path.join(os.getcwd(), destination)` and trusts the result. Absolute paths will override `os.getcwd()`, and traversal sequences in relative paths are also bypassed. It then calls `open(file_path, ...)` to write arbitrary files outside the project workspace. ## Impact Scope - **Affected Version**: 1.0.0 - **Affected Component**: `fastmcp_server.py` - **Impact Scope**: - **Confidentiality**: Not directly confirmed - **Integrity**: High, because arbitrary writable files can be created or overwritten outside the workspace - **Availability**: Medium, as attackers may overwrite operational files or fill storage - **Scope**: Unchanged ## Remediation Plan 1. Parse the target path and verify that it remains within the dedicated workspace directory before calling `os.makedirs()` or `open()`. 2. Independently normalize `filename` and reject parent references or path separators. 3. Add regression tests for absolute paths, `..`, Windows drive letters, and symbolic links. 4. Align implementation with the workspace-oriented storage model shown in the README. ## POC Code ```json { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "save_file", "arguments": { "filename": "owned.txt", "content": "owned outside workspace", "destination": "/tmp/mlops_mcp_poc" } } } ``` **Exploitation Description**: - `os.path.join(os.getcwd(), "/tmp/mlops_mcp_poc")` evaluates to `/tmp/mlops_mcp_poc` - Server creates `/tmp/mlops_mcp_poc` - Writes `/tmp/mlops_mcp_poc/owned.txt` - Expected result: `/tmp/mlops_mcp_poc/owned.txt` is created outside the workspace - Same bypass applies to relative traversal, e.g., `destination=../../../../../tmp/mlops_mcp_poc`