Anthropic Filesystem MCP Server: Symlink Escape and Path Traversal Allow Full Host Filesystem Access (CVE-2025-53109/53110)

Two CVEs in Anthropic's Filesystem MCP server: naive prefix-matching path traversal (CVSS 7.3) and crafted symlink sandbox escape (CVSS 8.4). Full host filesystem read/write. Discovered by Cymulate Research Labs. Patched in v0.6.3.

Anthropic Filesystem MCPTool execution / MCPSandbox escape: path traversal and symlink followingHost filesystem / Anthropic Filesystem MCP server

What happened

Cymulate Research Labs demonstrated two bypass paths: (1) crafted path strings bypassed naive prefix-matching to traverse outside allowed directories; (2) a symlink placed inside an allowed directory pointed outside the sandbox, which the server followed without re-checking the resolved path.

Why it matters

Full host filesystem read/write access outside the intended allowed directories. Any file on the host — SSH keys, environment files, source code, credentials — was accessible to an attacker who could influence MCP tool calls.

Missing authorization check

Path enforcement must resolve symlinks and normalize paths before comparing to allowed directories. Prefix-matching on raw path strings is insufficient as a sandbox boundary.

Would PP block it?

If all Filesystem MCP tool calls required a PP receipt, an attacker exploiting prompt injection to trigger the bypass would still need a human to authorize the tool call first. The underlying path validation bug requires a fix in the MCP server itself.

Incident analysis

Timeline and technical read

Timeline

2025-07-01
Anthropic releases Filesystem MCP server v0.6.3 patching CVE-2025-53109 (CVSS 8.4, symlink escape) and CVE-2025-53110 (CVSS 7.3, path traversal). Cymulate Research Labs credited with discovery.

Technical breakdown

CVE-2025-53110: The server checked if a requested path started with an allowed directory prefix using string comparison, without normalizing the path first. Sequences like `/../` could produce a string that passes the prefix check but resolves outside the sandbox.
CVE-2025-53109: The server did not resolve symlinks before enforcing path boundaries. A symlink at `allowed_dir/link -> /etc` would pass the prefix check on `allowed_dir/link/passwd` but resolve to `/etc/passwd`.
Both vulnerabilities require the attacker to control what path the MCP client requests — achievable via prompt injection or a malicious MCP client.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Filesystem MCP tool call execution, path resolution
Still needs: Symlink resolution before path enforcement; canonical path normalization
Receipt required for: Any filesystem read/write via MCP tool call, especially outside explicitly allowed paths

PP's Runtime Gate would require a receipt for filesystem tool calls. It would not prevent the path traversal itself, but would force human authorization before any filesystem access tool call executes.

Related incidents and controls

Critical2025-06-13

Anthropic MCP Inspector Accepted Unauthenticated Connections Leading to CSRF-Chained RCE (CVE-2025-49596, CVSS 9.4)

High2025-05-26

Invariant Labs: Malicious GitHub Issue Hijacked AI Assistant to Exfiltrate Private Repo Data via MCP Prompt Injection

Runtime Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop