Ddos 
Image: Cymulate
Cymulate Research Labs has revealed Anthropic’s Filesystem MCP Server vulnerabilities. Two newly disclosed flaws—CVE-2025-53110 and CVE-2025-53109—exposes systems to unauthorized access, privilege escalation, and remote code execution.
“With this growing hype, we must remain careful about the security risks that come with it,” the researcher warns in their report.
MCP is described as “a USB-C port for AI,” a unified framework that allows LLMs to interface with filesystems, APIs, and databases through standardized server endpoints. The Filesystem MCP Server, a Node.js-based module, enables file operations such as reading, writing, and listing directories—but only within an “allowed” directory scope defined in a configuration file.
On paper, this sandboxing mechanism should prevent abuse. In reality, it left a gaping hole.
The first flaw, tracked as CVE-2025-53110 (CVSS 7.3), involves a classic validation oversight: using simple string prefix matching (startswith) to verify if a requested path falls within an allowed directory. This check can be trivially bypassed by creating paths that merely begin with the allowed directory’s name but aren’t actually inside it.
“An attacker can exploit this by listing a directory name that starts with the allowed path but extends beyond it,” explains the report.
This bypass enables attackers to read or modify sensitive files outside the designated scope, effectively breaking the containment model the MCP server is built upon.
The second vulnerability, tracked as CVE-2025-53109 (CVSS 8.2), is even more alarming. By combining a symlink attack with the flawed directory check, an attacker can gain full read/write access to arbitrary files—including sensitive system files like /etc/sudoers.
“If the MCP server (or the associated Claude process) runs with elevated privileges, particularly as root, the attacker could potentially achieve a full system takeover.”
The report illustrates a scenario where attackers use symbolic links to implant a malicious .plist file into macOS’s LaunchAgents folder. The result? Code execution at login. In a proof of concept, the researchers launched the Calculator app—harmless in the demo, but in real attacks, this could easily be ransomware or a data exfiltration tool.
The core issue? Poor error handling. When the server fails to verify a symlink’s real path, it falls back to checking the parent directory—based on the symlink’s path, not its target.
“This poor error handling lets the symlink bypass succeed, exposing sensitive files and opening the door to further attacks.”
Anthropic responded promptly, releasing a patch on July 1, 2025. All users of the Filesystem MCP Server are urged to upgrade to version 2025.7.1.
“We’ve already observed a high adoption rate of the patched version following its release, significantly reducing the risk of exploitation,” the report noted.
Related Posts:
- Google Gemini to Support Anthropic’s Model Context Protocol (MCP)
- A New Era for Windows: Microsoft’s Protocol Transforms OS into AI Agent Platform
- Toxic Agent Flow: GitHub MCP Vulnerability Exposes Private Repositories
- Tool Poisoning Attacks: Critical Vulnerability Discovered in Model Context Protocol (MCP)
Donate