Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Path traversal in processing-claude-mcp-bridge's create_sketch tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the sketch_name parameter in processing_server.py. Public exploit code exists via GitHub issue #1, enabling straightforward attacks against exposed instances. EPSS data not available, but CVSS 7.3 (High) with network vector and no authentication requirements indicates significant risk for internet-facing deployments. Project maintainer has not responded to vulnerability disclosure, leaving no vendor-confirmed patch timeline.
Technical ContextAI
This vulnerability affects the processing-claude-mcp-bridge project (CPE: cpe:2.3:a:donchelo:processing-claude-mcp-bridge), which appears to bridge Processing (creative coding framework) with Claude AI via the Model Context Protocol. The flaw is a classic CWE-22 path traversal weakness in the create_sketch tool's handling of user-supplied sketch names within processing_server.py. Insufficient input sanitization allows an attacker to inject directory traversal sequences (../ patterns) into the sketch_name argument, escaping intended directories to access arbitrary filesystem locations. The vulnerable code accepts network requests without authentication (AV:N/PR:N), processes attacker-controlled filenames, and performs file operations with the server's privileges. This architectural pattern-combining network-exposed functionality with file system operations on unsanitized user input-is a common source of path traversal vulnerabilities in web-based tooling and API endpoints.
RemediationAI
No vendor-released patch identified at time of analysis-the maintainer has not responded to the vulnerability disclosure. Users must implement compensating controls immediately: First, restrict network access to processing_server.py by binding only to localhost (127.0.0.1) if the service is used purely for local development, eliminating remote attack vectors entirely. Second, implement network-level access controls via firewall rules or VPN requirements to limit exposure to trusted IP ranges. Third, apply input validation at the application layer if modifying the code locally-whitelist allowed characters in sketch_name parameters (alphanumeric, hyphen, underscore only) and reject any input containing directory traversal sequences (../, .., absolute paths). Note that restricting to localhost may break legitimate remote usage scenarios if the bridge is designed for network accessibility. Monitor the GitHub repository (https://github.com/donchelo/processing-claude-mcp-bridge/) and VulDB entry (https://vuldb.com/vuln/359816) for maintainer response or community-contributed patches. Consider forking the project to apply security fixes independently if the project remains unmaintained, though this increases long-term maintenance burden.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25972