# Vulnerability Summary: @agiflowai/scaffold-mcp Arbitrary File Write Vulnerability ## Vulnerability Overview An arbitrary file write vulnerability (CWE-22) was discovered in the `write-to-file` tool of `@agiflowai/scaffold-mcp`. This tool accepts a user-provided `file_path` parameter and, after resolving absolute or relative paths, writes attacker-controlled content to that path without enforcing workspace or base directory boundaries. An attacker can write to or overwrite arbitrary files, potentially leading to integrity loss, configuration corruption, or further exploitation. ## Impact Scope - **Affected Version**: `@agiflowai/scaffold-mcp` version 1.0.27 - **Affected Components**: - `packages/scaffold-mcp/src/tools/WriteToFileTool.ts` - `packages/scaffold-mcp/src/server/index.ts` - **CVSS Score**: 9.4 (Critical) - **Attack Prerequisites**: - Attacker can invoke the affected MCP tools exposed by the scaffold-mcp server - The `write-to-file` tool is reachable by the attacker - The server process has file system write permissions for the target path chosen by the attacker - No effective authentication, authorization, sandboxing, or runtime policy prevents attacker-controlled absolute paths from reaching the sink before writing ## Remediation - **Eliminate** the data flow to arbitrary file writes - **Resolve** `file_path` using `path.resolve` and compare with a trusted workspace root directory, then apply path-aware boundary checks on the resolved path - **Reject** absolute paths unless they are explicitly allowed and remain within the intended workspace - **Consider** exposing higher-level operations that only accept project-relative paths - **Add** regression tests proving that paths such as `/tmp/aicode-toolkit-poc.txt` and `../../outside-workspace.txt` cannot be written via `write-to-file` - **Publish** a maintainer security advisory once the patch is released ## POC Code ```bash # Start the affected server cd aicode-toolkit npx @modelcontextprotocol/inspector npx -y @agiflowai/scaffold-mcp mcp-serve # Invoke the write-to-file tool with the following parameters { "file_path": "/tmp/aicode-toolkit-poc.txt", "content": "AICODE_TOOLKIT_ARBITRARY_FILE_WRITE_20260411" } # Verify the file exists and contains the following content cat /tmp/aicode-toolkit-poc.txt ```