Advisories for Npm/@Bitbonsai/Mcpvault package

2026

MCPVault: PathFilter restricted directories (.git/.obsidian/node_modules) only denied at vault root, not nested

PathFilter's deny-list glob patterns are anchored, so .git, .obsidian, and node_modules were only blocked at the vault root. Nested copies inside the vault (e.g. tools/cli/node_modules/…, tools/somerepo/.git/config, a nested .obsidian/) were fully traversable via isAllowed/isAllowedForListing. Impact: a nested .git/config (remote URLs / embedded tokens) and nested .obsidian contents could be read, under the same prompt-injection threat model as GHSA-j99q-93c9-h869 (an attacker influences the path an agent reads). It also caused nested …

MCPVault: PathFilter restricted-directory deny-list bypass via case and trailing dot/space equivalence

On case-insensitive filesystems (macOS, Windows), PathFilter compiled its deny-list patterns case-sensitively and matched the path verbatim, so names like .Git/config, .GIT/config, or .oBsIdIaN/secrets.md slipped past the .git/.obsidian/node_modules restriction while the OS opened the real file. On Windows, trailing dots/spaces (.git./config, .git /config) bypassed it the same way. Affects both isAllowed (read/write/move/search) and isAllowedForListing. Vault-root .. containment is NOT affected. Fixed in 0.11.4 by case-insensitive matching plus per-segment canonicalization before the …