Anthropic’s MCP Server Vulnerability Let Attackers Escape Server’s Sandbox and Execute Arbitrary Code
Two high-severity vulnerabilities in Anthropic’s Model Context Protocol (MCP) Filesystem Server enable attackers to escape sandbox restrictions and execute arbitrary code on host systems.
The vulnerabilities, designated CVE-2025-53109 and CVE-2025-53110, affect all versions prior to 0.6.3 and represent a significant security risk as MCP adoption accelerates across enterprise environments where AI applications often run with elevated privileges.
Key Takeaways
1. CVE-2025-53109 (CVSS 8.4) and CVE-2025-53110 (CVSS 7.3) were discovered in Anthropic's MCP Filesystem Server, allowing sandbox escape.
2. Naive prefix matching lets attackers access directories outside the allowed scope by crafting paths with shared prefixes.
3. Symbolic links bypass all restrictions, enabling filesystem-wide access and arbitrary code execution via Launch Agents.
4. Update to npm version 2025.7.1 immediately - released July 1, 2025, to fix both vulnerabilities.
Directory Containment Bypass (CVE-2025-53110)
The first vulnerability, CVE-2025-53110 (CVSS Score 7.3), exploits a directory containment bypass through naive prefix-matching validation.
The Filesystem MCP Server uses a simple start with a check to verify if requested paths fall within allowed directories.
Researchers demonstrated that an attacker can access directories like /private/tmp/allow_dir_sensitive_credentials when the allowed directory is /private/tmp/allow_dir, since the malicious path begins with the approved prefix.
Symlink Bypass to Code Execution (CVE-2025-53109)
The second, more severe vulnerability CVE-2025-53109 (CVSS Score 8.4) leverages symbolic link manipulation to achieve complete filesystem access.
Attackers can create symbolic links pointing to sensitive system files like /etc/sudoers. While the server attempts to validate symlink targets through fs.realpath(), flawed error handling in the catch block allows the bypass to succeed.
Cymulate Research Labs reports that the attack chain works by first exploiting the prefix vulnerability to create a directory named /private/tmp/allow_dir_evil, then placing a symlink inside pointing to restricted files.
When validation fails on the symlink target, the code incorrectly validates the parent directory of the symlink itself rather than the target, enabling a complete security bypass.
Beyond file access, researchers demonstrated how these vulnerabilities enable arbitrary code execution through macOS Launch Agents.
By writing malicious .plist files to locations like /Users/username/Library/LaunchAgents/, attackers can achieve persistent code execution with user privileges at login.
| CVEs | Description | Affected Products | CVSS 3.1 Score |
| CVE-2025-53110 | Directory containment bypass allowing unauthorized file access outside the sandbox. | Anthropic MCP Filesystem Server versions prior to 0.6.3 and 2025.7.1 | 7.3 (High) |
| CVE-2025-53109 | Symlink bypass enabling full filesystem access. | Anthropic MCP Filesystem Server versions prior to 0.6.3 and 2025.7.1 | 8.4 (High) |
Anthropic has released patches in version 2025.7.1 addressing both vulnerabilities.
Organizations should immediately upgrade their MCP implementations and apply the principle of least privilege to limit potential exploitation impact.
The discovery highlights the importance of rigorous security validation as AI systems gain deeper integration with critical infrastructure and sensitive data systems.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
