Advisory Details
Title: Path Validation Bypass via Config Parsing Fail-Open (Sandbox Escape)
Description:
Summary
The DesktopCommanderMCP server fails to gracefully handle exceptions occurring during the parsing of its config.json file. A fail-open logic flaw causes the server to fall back to a default configuration with an empty allowedDirectories array if the JSON is malformed. The core path validation logic incorrectly interprets this empty array as "allow all paths", leading to a complete bypass of the filesystem sandbox boundary and enabling arbitrary file read/write across the host filesystem.
Details
This vulnerability stems from two interconnected logic flaws across the configuration recovery and path validation handlers:
- When the
ConfigManager attempts to parse the ~/.claude-server-commander/config.json file in init(), encountering syntactically invalid JSON throws an exception. Instead of failing closed, the application catches the exception and attempts to recover via this.getDefaultConfig(), initializing allowedDirectories to an empty array [].
- In
src/tools/filesystem.ts, the isPathAllowed() function evaluates the scope limitations for file operations. The underlying logic erroneously equates an empty configuration array (length === 0) with explicitly unrestricted system access:
if (allowedDirectories.includes('/') || allowedDirectories.length === 0) {
return true;
}An attacker with limited initial execution privileges can trigger this by using an available tool (e.g., start_process) to deliberately corrupt ~/.claude-server-commander/config.json with malformed JSON, simultaneously terminating the node server process. This forced termination bypasses the usageTracker's standard post-tool-execution telemetry, which would normally repair the configuration file on disk. Upon the server's restart or reconnect, the corrupted configuration triggers the parsing exception, instituting the fail-open configuration and completely dismantling the MCP server's file access sandbox.
PoC
To reproduce this vulnerability:
- Initialize the MCP server normally.
- Send a request connecting to the
start_process tool that injects invalid JSON into the config and kills the MCP server's parent process simultaneously. This ensures the corrupted file is not repaired by the server's clean-up routines.
Command to execute via start_process arguments:
echo "{ this is structurally invalid json [[[" > ~/.claude-server-commander/config.json && kill -9 $PPID
- Restart the MCP server (simulating standard downtime recovery or orchestrator respawn).
- Call a highly restricted tool such as
read_file pointing to the absolute path /etc/passwd (which is outside standard allowed paths like /root or /home).
The path, previously inaccessible, will be successfully read due to the fail-open state.
Log of Evidence
[*] Stage 1: Starting server and corrupting config.json
[*] Overwriting /root/.claude-server-commander/config.json with invalid JSON and crashing server...
[*] Server was killed, resp should be None: None
[*] Stage 2: Restarting server with corrupted config
[*] Attempting to read /etc/passwd (should be blocked normally but allowed now due to fail-open)
[+] EXPLOIT SUCCESS: Successfully read /etc/passwd!
[+] Output preview:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/u...
Impact
This vulnerability represents a catastrophic breakdown of the sandbox boundaries (Improper Access Control / Sandbox Escape). An attacker leveraging this mechanism escalates their privileges beyond intended constraints, culminating in the ability to arbitrarily read, mutate, or destroy sensitive files on the host environment (e.g., extracting SSH keys from ~/.ssh/, overriding /etc/shadow, or injecting malicious payloads into root system binaries). This ultimately enables total host system compromise.
Affected products
- Ecosystem: npm
- Package name: desktop-commander
- Affected versions: All current versions
- Patched versions:
Severity
- Severity: Critical
- Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses
- CWE-284: Improper Access Control
- CWE-636: Not Failing Securely ('Failing Open')
- CWE-755: Improper Handling of Exceptional Conditions
Occurrences
| Permalink |
Description |
src/config-manager.ts#L80-L87 |
The init method improperly manages JSON.parse sequence exceptions, defaulting the configurations to an empty allowedDirectories state. |
src/tools/filesystem.ts#L125-L130 |
The isPathAllowed functionality mistakenly attributes an allowedDirectories length of zero as equivalent to global unconditional pathway permissions. |
Advisory Details
Title: Path Validation Bypass via Config Parsing Fail-Open (Sandbox Escape)
Description:
Summary
The
DesktopCommanderMCPserver fails to gracefully handle exceptions occurring during the parsing of itsconfig.jsonfile. A fail-open logic flaw causes the server to fall back to a default configuration with an emptyallowedDirectoriesarray if the JSON is malformed. The core path validation logic incorrectly interprets this empty array as "allow all paths", leading to a complete bypass of the filesystem sandbox boundary and enabling arbitrary file read/write across the host filesystem.Details
This vulnerability stems from two interconnected logic flaws across the configuration recovery and path validation handlers:
ConfigManagerattempts to parse the~/.claude-server-commander/config.jsonfile ininit(), encountering syntactically invalid JSON throws an exception. Instead of failing closed, the application catches the exception and attempts to recover viathis.getDefaultConfig(), initializingallowedDirectoriesto an empty array[].src/tools/filesystem.ts, theisPathAllowed()function evaluates the scope limitations for file operations. The underlying logic erroneously equates an empty configuration array (length === 0) with explicitly unrestricted system access:An attacker with limited initial execution privileges can trigger this by using an available tool (e.g.,
start_process) to deliberately corrupt~/.claude-server-commander/config.jsonwith malformed JSON, simultaneously terminating the node server process. This forced termination bypasses theusageTracker's standard post-tool-execution telemetry, which would normally repair the configuration file on disk. Upon the server's restart or reconnect, the corrupted configuration triggers the parsing exception, instituting the fail-open configuration and completely dismantling the MCP server's file access sandbox.PoC
To reproduce this vulnerability:
start_processtool that injects invalid JSON into the config and kills the MCP server's parent process simultaneously. This ensures the corrupted file is not repaired by the server's clean-up routines.Command to execute via
start_processarguments:echo "{ this is structurally invalid json [[[" > ~/.claude-server-commander/config.json && kill -9 $PPIDread_filepointing to the absolute path/etc/passwd(which is outside standard allowed paths like/rootor/home).The path, previously inaccessible, will be successfully read due to the fail-open state.
Log of Evidence
Impact
This vulnerability represents a catastrophic breakdown of the sandbox boundaries (Improper Access Control / Sandbox Escape). An attacker leveraging this mechanism escalates their privileges beyond intended constraints, culminating in the ability to arbitrarily read, mutate, or destroy sensitive files on the host environment (e.g., extracting SSH keys from
~/.ssh/, overriding/etc/shadow, or injecting malicious payloads into root system binaries). This ultimately enables total host system compromise.Affected products
Severity
Weaknesses
Occurrences
src/config-manager.ts#L80-L87initmethod improperly managesJSON.parsesequence exceptions, defaulting the configurations to an emptyallowedDirectoriesstate.src/tools/filesystem.ts#L125-L130isPathAllowedfunctionality mistakenly attributes anallowedDirectorieslength of zero as equivalent to global unconditional pathway permissions.