CVE-2025-53110: 
JavaScript vulnerability analysis and mitigation

A path validation vulnerability (CVE-2025-53110) was discovered in @modelcontextprotocol/server-filesystem affecting versions <=0.6.2 and >=2025.1.14, <2025.7.1. The vulnerability was disclosed on July 1, 2025, and allows attackers to bypass path validation mechanisms when the prefix matches an allowed directory (GitHub Advisory).

The vulnerability exists in the filesystem component where path validation can be bypassed in cases where the prefix matches an allowed directory. The issue has been assigned a CVSS v4.0 score of 7.3 (High) with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H. The vulnerability requires network access with low attack complexity and no privileges required, though passive user interaction is needed (GitHub Advisory).

The vulnerability has significant impact potential, particularly on system availability and subsequent system effects. While the direct confidentiality and integrity impacts are rated as None, the subsequent system impacts for confidentiality, integrity, and availability are all rated as High according to the CVSS metrics (GitHub Advisory).

Users are advised to upgrade to version 2025.7.1 or version 0.6.3 which contain patches for this vulnerability. The fix was implemented through a security patch merged into the main branch (GitHub Commit).

The vulnerability was responsibly disclosed by security researcher Elad Beber from Cymulate. The vendor responded by quickly releasing patches in both the 0.6.x and 2025.x version lines (GitHub Advisory).