# Vulnerability Summary: hwpx-mcp-server Arbitrary File Write Vulnerability ## Vulnerability Overview * **Vulnerability Name**: hwpx-mcp-server Arbitrary File Write Vulnerability (CVE ID Request) * **Vulnerability Type**: CWE-73 (External Control of File Name or Path) * **Affected Component**: `mcp-server/src/index.ts` * **Vulnerability Description**: In `hwpx-mcp-server` version 0.2.0, the `save_document`, `export_to_text`, and `export_to_html` tools accept user-controlled `output_path` parameters without validating whether the target path resides within a secure workspace directory before writing files. An attacker can access the MCP interface over the network to create or overwrite files at any location writable by the server process, leading to loss of integrity, configuration corruption, or denial of service. ## Impact Scope * **Affected Versions**: 0.2.0 * **Affected Commit**: `8785f8d67f9488d79fcdf061a2993b3ae1416156` * **Attack Prerequisites**: 1. The attacker can invoke MCP server tools via a configured MCP client, MCP Inspector, or other clients. 2. The MCP server process has filesystem write permissions to the target path selected by the attacker. 3. There are no external sandboxes, container policies, or OS-level access controls preventing the write operation. ## Remediation 1. **Path Normalization**: Use `path.resolve` or equivalent methods to normalize user-provided paths and enforce that all output paths remain within an explicitly configured workspace directory. 2. **Reject Dangerous Paths**: Reject absolute paths, parent directory traversals, symbolic links, device paths, and other special filesystem targets unless explicitly intended and authorized. 3. **Whitelisted Directories**: Implement whitelisted output directories for `save_document`, `export_to_text`, and `export_to_html`. 4. **Input/Output Consistency**: Apply the same security policies to input paths for operations such as `open_document` and `insert_image`. 5. **Regression Testing**: Add regression tests to verify that MCP-controlled paths cannot read from or write to locations outside the configured workspace. ## POC Code **1. Create a new document** ```json { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "create_document", "arguments": { "title": "poc", "creator": "poc" } } } ``` **2. Save the document to an attacker-controlled path using the returned `doc_id`** ```json { "jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": { "name": "save_document", "arguments": { "doc_id": "doc_id from step 1", "output_path": "/tmp/hwpx-mcp-arbitrary-write.hwpx", "create_backup": false, "verify_integrity": false } } } ``` **3. Verification** * Confirm that `/tmp/hwpx-mcp-arbitrary-write.hwpx` was created by the MCP server process. * Repeat the above steps using any other path writable by the server process to confirm that `output_path` is not restricted to a secure document directory.