Two newly disclosed vulnerabilities in Anthropic’s Filesystem Model Context Protocol (MCP) Server—CVE-2025-53110 and CVE-2025-53109—have exposed AI-powered environments to severe risks, including sandbox escapes, unauthorized file access, and arbitrary code execution.
These flaws, discovered by Cymulate Research Labs, highlight urgent security challenges as MCP adoption accelerates in enterprise and developer ecosystems.
Anthropic’s Model Context Protocol (MCP) is rapidly becoming the standard for enabling large language model (LLM) clients, such as Claude Desktop, to interact with external data and tools.
The Filesystem MCP Server, a Node.js-based implementation, is designed to restrict file operations to a set of “allowed directories,” theoretically keeping the AI’s access safely sandboxed.
The Vulnerabilities
| CVE ID | Name/Type | CVSS Score | Patched Version |
| CVE-2025-53110 | Directory Containment Bypass | 7.3 | 0.6.3 / 2025.7.1 |
| CVE-2025-53109 | Symlink Bypass to Code Exec | 8.4 | 0.6.3 / 2025.7.1 |
CVE-2025-53110: Directory Containment Bypass
The Filesystem MCP Server checks if a requested path starts with an allowed directory prefix. Attackers can exploit this by crafting paths like /private/tmp/allow_dir_sensitive, which pass the check but lie outside the intended sandbox.
This enables unrestricted listing, reading, and writing of files beyond the designated boundary—potentially leading to data breaches and privilege escalation.
CVE-2025-53109: Symlink Bypass to Code Execution
A more severe flaw lies in the server’s symlink resolution logic. Attackers can create symlinks within the allowed directory (or a prefix-bypassed directory) that point anywhere on the filesystem, such as /etc/sudoers.
Due to improper error handling, the server validates the symlink’s parent directory rather than its real target, allowing attackers to read or overwrite critical system files.
This can be chained to achieve arbitrary code execution, for example by writing malicious macOS Launch Agent plists, leading to full system compromise if the server runs with elevated privileges.
Recommended Actions
- Update Immediately: Upgrade to Filesystem MCP Server version 0.6.3 or 2025.7.1, which patch both vulnerabilities.
- Enforce Least Privilege: Run all MCP-related services with minimal necessary permissions.
- Validate Defenses: Use exposure validation platforms to simulate these attacks and confirm detection of directory and symlink abuses.
With MCP’s ecosystem rapidly expanding, these vulnerabilities underscore the need for robust security reviews and swift patch adoption to protect sensitive environments from emerging AI-driven threats.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
