nyamkamunhjin/devsummit-mcp-server

// Local-only MCP, requires compromised LLM to exploit

The fileOperationsTool allows writing to arbitrary paths. An attacker can overwrite critical system files, configuration files, or plant malicious scripts (e.g., cron jobs, SSH authorized_keys).

ImpactAn attacker can write arbitrary content to any file on the filesystem, potentially leading to code execution, privilege escalation, or persistent backdoor.

FixRestrict write operations to a specific allowed directory. Validate that the resolved path is within the allowed directory. Consider requiring explicit confirmation for overwriting existing files.

// Local-only MCP, requires compromised LLM to exploit

The fileOperationsTool exposes read and write capabilities on the local filesystem. Without path validation, an attacker can read any file on the system, including sensitive files like /etc/passwd, SSH keys, or application secrets.

ImpactAn attacker (compromised LLM) can read arbitrary files from the filesystem, leading to information disclosure of sensitive data.

FixRestrict file operations to a specific allowed directory (e.g., a sandboxed folder). Validate that the resolved path is within the allowed directory using path.resolve and path.startsWith. Reject paths containing '..' or symlinks that escape the sandbox.

// Local-only MCP, requires compromised LLM to exploit

The intended purpose of the server is to provide basic arithmetic, file read/write, and mock weather. However, the file operations tool allows reading and writing any file on the filesystem, which is far beyond what is needed for a simple demonstration. This excessive scope increases the attack surface.

ImpactAn attacker can abuse the file operations to read sensitive files or write malicious content, as described in the previous findings.

FixNarrow the scope of file operations to a specific sandboxed directory. If the purpose is truly 'basic demonstration', consider removing file operations entirely or restricting to a predefined set of files.