Vulnerability Database

359,603

Total vulnerabilities in the database

CVE-2026-54561 — mcp-memory-keeper

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

context_import passed the caller-supplied filePath directly to fs.readFileSync with no path confinement. A malicious MCP client — or an LLM agent that is prompt-injected into calling the tool — could point filePath at any file readable by the server process, outside any session or export directory:

  • Full disclosure (JSON files): a valid-JSON target (e.g. another user's exported session, or a *.json credential / service-account file) is parsed and imported into the caller's session, then retrievable verbatim via context_get / context_export.
  • Partial disclosure (any file): for a non-JSON target (e.g. /etc/passwd, an SSH key, a .env), JSON.parse throws and V8 includes a snippet of the file's leading bytes in the SyntaxError message, which was returned verbatim to the caller.

Both ../ traversal and absolute paths worked — there was no path confinement of any kind.

In a typical MCP deployment the server runs on the developer's machine, so the reachable set includes other users' exported memory sessions, JSON credential/config files, and (in leading-bytes form) .env files, SSH keys, and /etc/passwd. The trigger is a tool argument, so the realistic threat model is an LLM agent prompt-injected into calling context_import, or any MCP client connected to the server.

Patches

Fixed in 0.13.0 (PR #36):

  • Imports are confined to a server-owned exports directory (<DATA_DIR>/exports, overridable via MEMORY_KEEPER_EXPORT_DIR), resolved with realpathSync. ../ traversal, absolute paths outside the directory, and symlink escapes are all rejected.
  • File read and JSON.parse are separate operations; read/parse failures return a generic message and never echo file bytes (the SyntaxError-message leak is gone). The database-write path is likewise generic.
  • An E2E security regression suite covers the reported arbitrary-read and traversal vectors, plus symlink escape, the directory-prefix boundary, and a no-existence-oracle check.

Workarounds

Upgrade to >= 0.13.0. There is no configuration-only workaround for affected versions.

Resources

  • Report: GitHub issue #35
  • Fix: PR #36

Credit

Reported by Zhihao Zhang (@mcfly-zzh).

CVSS v3:

  • Severity: Medium
  • Score: 6.2
  • AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.