CVE-2025-66689
📋 TL;DR
A path traversal vulnerability in Zen MCP Server allows authenticated attackers to read arbitrary files on the system by bypassing directory blacklist restrictions. This affects all Zen MCP Server versions before 9.8.2 where attackers have valid credentials. The vulnerability stems from flawed validation logic that uses exact string matching against system directories.
💻 Affected Systems
- Zen MCP Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files, configuration files, SSH keys, database credentials, or other confidential data, potentially leading to full system compromise.
Likely Case
Authenticated attackers reading application configuration files, user data, or other files accessible to the server process.
If Mitigated
Limited impact with proper file permissions and network segmentation, though sensitive data exposure remains possible.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once credentials are obtained. Public proof-of-concept exists in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.8.2
Vendor Advisory: https://github.com/BeehiveInnovations/zen-mcp-server/issues/293
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Zen MCP Server service. 3. Update to version 9.8.2 or later. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict File System Access
linuxRun Zen MCP Server with minimal file system permissions using containerization or restricted user accounts.
sudo chroot /var/zen-mcp /usr/bin/zen-mcp-server
sudo setfacl -m u:zenuser:rx /var/zen-mcp
Network Segmentation
linuxRestrict access to Zen MCP Server to trusted networks only using firewall rules.
sudo iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit which users can reach the Zen MCP Server interface.
- Apply file system permissions to restrict what files the Zen MCP Server process can read.
🔍 How to Verify
Check if Vulnerable:
Check Zen MCP Server version: if version is less than 9.8.2, the system is vulnerable.Check Version:
zen-mcp-server --versionVerify Fix Applied:
After updating, verify the version is 9.8.2 or higher and test path traversal attempts against known vulnerable endpoints.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in server logs
- Multiple failed path traversal attempts
- Access to system directories from MCP requests
Network Indicators:
- Unusual volume of file read requests to MCP server
- Requests containing path traversal patterns like '../' or directory bypass attempts
SIEM Query:
source="zen-mcp.log" AND ("..\" OR "/etc/" OR "/root/") AND action="read"