Home > Vulnerability Database > CVE-2025-67364

Mend.io Vulnerability Database

CVE-2025-67364

Date: January 6, 2026

fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files.

Severity Score

7.5

Related Resources (4)

Url: https://github.com/efforthye/fast-filesystem-mcp

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-67364

Url: https://github.com/efforthye/fast-filesystem-mcp/issues/10

Url: https://www.mend.io/vulnerability-database/CVE-2025-67364

Severity Score

7.5

Weakness Type (CWE)

Path Traversal: '../filedir'

CWE-24

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-67364

Date: January 6, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?