Memory Bank Mcp
Monthly
Path traversal in alioshr memory-bank-mcp through versions 0.2.1 and 3.1 allows a local low-privileged user to read files outside the intended project directory boundary by supplying traversal sequences in the `projectName` argument processed by `list-project-files-validation-factory.ts`. A public proof-of-concept has been disclosed via GitHub issue #36, and no patch is available as the vendor has not yet responded to the coordinated disclosure. No confirmed active exploitation has been identified (not listed in CISA KEV), though the public exploit lowers the barrier for opportunistic local abuse.
Path traversal in alioshr memory-bank-mcp through versions 0.2.1 and 3.1 allows a local low-privileged user to read files outside the intended project directory boundary by supplying traversal sequences in the `projectName` argument processed by `list-project-files-validation-factory.ts`. A public proof-of-concept has been disclosed via GitHub issue #36, and no patch is available as the vendor has not yet responded to the coordinated disclosure. No confirmed active exploitation has been identified (not listed in CISA KEV), though the public exploit lowers the barrier for opportunistic local abuse.