Attack Chain

1. An attacker crafts a malicious MCPB file.
2. The malicious MCPB file contains a manifest.json file with a name field set to a path traversal string (e.g., ../../../tmp/evil).
3. The attacker uploads the malicious MCPB file to the /mcpb/upload endpoint.
4. The uploadMcpbFile function extracts the uploaded MCPB file to a temporary directory.
5. The function reads and parses the manifest.json file from the temporary directory.
6. The manifest.name value (containing the path traversal string) is used to construct the final extraction directory path using path.join.
7. The server attempts to create the directory specified by the crafted path and moves the extracted files to this location. Due to the path traversal, the files are written outside the intended directory.
8. The cleanupOldMcpbServer function may be triggered, attempting to delete directories based on the unsanitized name, though constrained to the upload directory.

Impact

Successful exploitation of this path traversal vulnerability allows an attacker to write files to arbitrary locations on the server’s file system. This could lead to overwriting critical system files, injecting malicious code into existing applications, or gaining unauthorized access to sensitive data. The exact impact depends on the permissions of the user running the MCPHub application and the contents of the files being written. If the attacker can overwrite executable files or configuration files, they could achieve arbitrary code execution and full system compromise.

Recommendation

• Apply the remediation recommendations from the original advisory: Use path.basename() to strip directory components from manifest.name, and enforce a strict character whitelist before use.
• Deploy the Sigma rule “Detect MCPHub Path Traversal Attempt via Manifest Name” to identify attempts to exploit this vulnerability by monitoring for specific path traversal sequences in the manifest name (see Sigma rule).
• Upgrade MCPHub to version 0.12.13 or later to patch this vulnerability.