CVE-2025-53109: @modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling

July 1, 2025 (updated July 2, 2025)

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 2025.7.1 to resolve.

Thank you to Elad Beber (Cymulate) for reporting these issues.

References

github.com/advisories/GHSA-q66q-fx2p-7w4m
github.com/modelcontextprotocol/servers
github.com/modelcontextprotocol/servers/commit/d00c60df9d74dba8a3bb13113f8904407cda594f
github.com/modelcontextprotocol/servers/security/advisories/GHSA-q66q-fx2p-7w4m
nvd.nist.gov/vuln/detail/CVE-2025-53109

Code Behaviors & Features

Detect and mitigate CVE-2025-53109 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →