Is there a public PoC exploit available for CVE-2025-11489?

Yes, a public proof-of-concept exploit is available for CVE-2025-11489. Prioritise patching immediately. EPSS: 0.0%.

DesktopCommanderMCP CVE-2025-11489

Q: What is the CVSS score of CVE-2025-11489?

CVE-2025-11489 has a CVSS 4.0 base score of 1.1 (Low). CVSS vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Link Resolution Before File Access (CWE-59)

2025-10-08 cna@vuldb.com

Docker Information Disclosure Desktopcommandermcp

1.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.1 LOW

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:04 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The vendor explains: "Our restriction features are designed as guardrails for LLMs to help them stay closer to what users want, rather than hardened security boundaries. (...) For users where security is a top priority, we continue to recommend using Desktop Commander with Docker, which provides actual isolation. (...) We'll keep this issue open for future consideration if we receive more user demand for improved restrictions." This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Symlink following in DesktopCommanderMCP up to version 0.2.13 allows local authenticated attackers to read files outside intended directory boundaries through the isPathAllowed function in filesystem.ts. The vulnerability requires local access and authenticated user privileges, with high attack complexity and low exploitability difficulty despite public availability of proof-of-concept code. This affects only unsupported product versions and carries minimal real-world risk (CVSS 1.1, EPSS 0.02%), though the vendor acknowledges the issue as a guardrail limitation rather than a hardened security boundary.

Technical ContextAI

DesktopCommanderMCP is an Model Context Protocol tool that provides filesystem access to LLM applications. The vulnerability exists in the path validation logic of src/tools/filesystem.ts, specifically in the isPathAllowed function which is responsible for enforcing directory traversal restrictions. CWE-59 (Improper Link Resolution Before File Access, also known as 'symlink following') indicates that the function fails to properly detect and reject symbolic links that point outside the intended restricted directory. When an LLM or authorized user interacts with the filesystem through DesktopCommanderMCP, a crafted symlink can bypass the path validation guardrails, allowing access to arbitrary files readable by the application's process. The affected CPE is cpe:2.3:a:wonderwhy-er:desktopcommandermcp:*:*:*:*:*:*:*:* with impact limited to versions 0.2.13 and earlier.

RemediationAI

Users of DesktopCommanderMCP should immediately upgrade to the latest version beyond 0.2.13 if available. Alternatively and preferentially, the vendor recommends deploying DesktopCommanderMCP within Docker containers to achieve true isolation-this eliminates the practical risk of symlink traversal accessing host files outside the container's filesystem. For installations that cannot be immediately updated, restrict local access to DesktopCommanderMCP to trusted users only by implementing OS-level access controls (e.g., firewall rules, process restrictions, or user privilege separation), understanding that this reduces but does not eliminate the attack surface. Additionally, audit filesystem permissions on systems running DesktopCommanderMCP to ensure the application process runs with minimal necessary privileges, limiting readable files in the event of symlink traversal. Note that these compensating controls do not address the underlying vulnerability and should be temporary measures pending upgrade. For detailed vulnerability discussion and community feedback, see https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/219.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-47172 CRITICAL Act Now

9.5 Jun 11

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote

CVE-2026-47174 CRITICAL Act Now

9.5 Jun 11

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as t

CVE-2026-53755 HIGH This Week

8.6 Jun 16

Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers

CVE-2025-11489 vulnerability details – vuln.today

Back