Skip to content
Threat Feed
high advisory

eiceblue spire-doc-mcp-server Path Traversal Vulnerability

A path traversal vulnerability exists in eiceblue spire-doc-mcp-server version 1.0.0, allowing a remote attacker to access arbitrary files by manipulating the 'document_name' argument in the 'get_doc_path' function.

A critical path traversal vulnerability has been identified in eiceblue spire-doc-mcp-server version 1.0.0. The vulnerability resides within the get_doc_path function of the src/spire_doc_mcp/api/base.py file. By manipulating the document_name argument, an attacker can bypass intended directory restrictions and access files outside the designated document path. This attack can be initiated remotely without authentication, posing a significant risk. Public exploits are available, increasing the likelihood of exploitation. The vendor was notified through an issue report, but has not yet responded.

Attack Chain

  1. The attacker sends a crafted HTTP request to the spire-doc-mcp-server.
  2. The request targets an endpoint that utilizes the vulnerable get_doc_path function.
  3. The attacker manipulates the document_name parameter within the request.
  4. The document_name parameter contains a path traversal sequence (e.g., “../”) designed to escape the intended directory.
  5. The get_doc_path function fails to properly sanitize or validate the document_name input.
  6. The application constructs a file path based on the malicious input.
  7. The application attempts to read the file at the attacker-controlled path.
  8. The attacker successfully retrieves the contents of an arbitrary file on the server.

Impact

Successful exploitation of this path traversal vulnerability allows an attacker to read sensitive files on the server. This could include configuration files containing credentials, source code, or other confidential data. The CVSS v3.1 score of 7.3 reflects the high severity of this issue. The lack of vendor response and availability of public exploits significantly increases the risk to organizations using vulnerable versions of spire-doc-mcp-server.

Recommendation

  • Deploy the Sigma rule Detect Spire-doc-mcp-server Path Traversal Attempt to your SIEM to detect exploitation attempts by monitoring web server logs for path traversal sequences.
  • Apply input validation and sanitization to the document_name argument in the get_doc_path function within src/spire_doc_mcp/api/base.py to prevent path traversal.
  • Monitor web server logs for HTTP requests containing path traversal sequences (e.g., “..%2F”, “../”) targeting endpoints related to document retrieval.

Detection coverage 2

Detect Spire-doc-mcp-server Path Traversal Attempt

high

Detects path traversal attempts in requests to spire-doc-mcp-server by looking for common path traversal sequences in the URI.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect Spire-doc-mcp-server Base64 Encoded Path Traversal Attempt

high

Detects base64 encoded path traversal attempts in requests to spire-doc-mcp-server by looking for base64 encoded path traversal sequences in the URI.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →