Path Traversal Arbitrary File Read/Write in IncomeStreamSurfer/roo-code-memory-bank-mcp-server
Summary
I found a path traversal issue in IncomeStreamSurfer/roo-code-memory-bank-mcp-server.
The MCP tools read_memory_bank_file and append_memory_bank_entry accept a caller-controlled file_name. In src/index.ts, that value is used directly in:
path.join(MEMORY_BANK_PATH, fileName)
without checking that the resolved path stays inside the memory-bank directory.
The resulting path is then used for:
fs.readFile(...)
fs.writeFile(...)
fs.appendFile(...)
which allows a malicious MCP client to read or modify attacker-chosen files outside the intended storage directory.
Affected Version
Relevant Code Paths
src/index.ts
readMemoryBankFile(input)
appendMemoryBankEntry(input)
- MCP tool handlers for:
read_memory_bank_file
append_memory_bank_entry
Impact
A malicious MCP client can use traversal segments in file_name to escape the memory-bank directory and perform arbitrary file disclosure and file modification against paths reachable by the server process.
Recommended Fix
- Reject traversal sequences, absolute paths, and path separators in
file_name
- Resolve the path and verify it remains under
MEMORY_BANK_PATH before reading or writing
- Consider enforcing an allowlist of expected memory-bank filenames
I have a local reproduction and will add it in a follow-up comment with output and screenshot.
Path Traversal Arbitrary File Read/Write in IncomeStreamSurfer/roo-code-memory-bank-mcp-server
Summary
I found a path traversal issue in
IncomeStreamSurfer/roo-code-memory-bank-mcp-server.The MCP tools
read_memory_bank_fileandappend_memory_bank_entryaccept a caller-controlledfile_name. Insrc/index.ts, that value is used directly in:without checking that the resolved path stays inside the
memory-bankdirectory.The resulting path is then used for:
fs.readFile(...)fs.writeFile(...)fs.appendFile(...)which allows a malicious MCP client to read or modify attacker-chosen files outside the intended storage directory.
Affected Version
roo-mcp-server0.1.0Relevant Code Paths
src/index.tsreadMemoryBankFile(input)appendMemoryBankEntry(input)read_memory_bank_fileappend_memory_bank_entryImpact
A malicious MCP client can use traversal segments in
file_nameto escape thememory-bankdirectory and perform arbitrary file disclosure and file modification against paths reachable by the server process.Recommended Fix
file_nameMEMORY_BANK_PATHbefore reading or writingI have a local reproduction and will add it in a follow-up comment with output and screenshot.