Vulnerability DatabaseGHSA-xh92-rqrq-227v

GHSA-xh92-rqrq-227v:
JavaScript vulnerability analysis and mitigation

Overview

The @mastra/mcp-docs-server package, versions 0.13.18 and below, contains a Directory Traversal vulnerability that leads to information exposure. This server, designed to provide documentation context to AI agentic workflows, is susceptible to an attack that allows unauthorized directory listing disclosure. The vulnerability was discovered and reported by Liran Tal, published on September 24, 2025, and has been assigned the identifier GHSA-xh92-rqrq-227v with a moderate severity rating (CVSS score: 6.5) (GitHub Advisory).

Technical details

The vulnerability stems from a logical flaw in the code where the security check in the readMdxContent function can be bypassed. While the function correctly checks for path traversal attempts when reading file contents, the main execute function continues to process the path even after a security violation is detected. This occurs because the code proceeds to call findNearestDirectory(path, availablePaths) without proper path validation, allowing un-sanitized paths to be used for directory listing. The vulnerability is tracked as CWE-548 (Exposure of Information Through Directory Listing) and has been assigned a CVSS score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) (GitHub Advisory).

Impact

The vulnerability exposes sensitive information about the user's file system structure. When exploited, it can reveal the presence of sensitive tools (.BurpSuite), configuration files (.config), cloud credentials (.aws/, .gcp/), and private project directories. This information disclosure could be leveraged by attackers to plan and execute more targeted attacks (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 0.17.0. The recommended fixes include halting execution immediately when a path traversal attempt is detected and implementing defense-in-depth by applying path validation logic to the findNearestDirectory function. Users should upgrade to the patched version to prevent unauthorized directory listing exposure (GitHub Advisory, Mastra Commit).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-59834	CRITICAL	9.8	JavaScript	adb-mcp	No	No	Sep 24, 2025
CVE-2025-59343	HIGH	8.7	JavaScript	tar-fs	No	Yes	Sep 24, 2025
CVE-2025-59828	HIGH	7.7	JavaScript	@anthropic-ai/claude-code	No	Yes	Sep 24, 2025
GHSA-xh92-rqrq-227v	MEDIUM	6.5	JavaScript	@mastra/mcp-docs-server	No	Yes	Sep 24, 2025
CVE-2025-59426	MEDIUM	4.3	JavaScript	@lobehub/chat	No	Yes	Sep 24, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-xh92-rqrq-227v: JavaScript vulnerability analysis and mitigation