Mcp Debugger
Monthly
Path traversal in debugmcp mcp-debugger through version 0.20.0 enables authenticated remote attackers with low-privilege access to read arbitrary files outside the intended directory via the `handleGetSourceContext` function in `src/server.ts`. Impact is restricted to limited confidentiality exposure on the vulnerable system (CVSS VC:L) with no integrity or availability consequence, yielding a CVSS 4.0 score of 2.1. A public proof-of-concept exploit exists on GitHub, though the EPSS score remains at 0.04% (12th percentile) and the issue is absent from the CISA KEV catalog, indicating exploitation has not been observed at meaningful scale. The vendor did not respond to responsible disclosure, meaning no official patch is available.
Path traversal in debugmcp mcp-debugger through version 0.20.0 enables authenticated remote attackers with low-privilege access to read arbitrary files outside the intended directory via the `handleGetSourceContext` function in `src/server.ts`. Impact is restricted to limited confidentiality exposure on the vulnerable system (CVSS VC:L) with no integrity or availability consequence, yielding a CVSS 4.0 score of 2.1. A public proof-of-concept exploit exists on GitHub, though the EPSS score remains at 0.04% (12th percentile) and the issue is absent from the CISA KEV catalog, indicating exploitation has not been observed at meaningful scale. The vendor did not respond to responsible disclosure, meaning no official patch is available.