[New Advisory] File Upload Path Traversal — Local File Exfiltration in mcp-playwright

[hacnho]

Advisory Details

Package: @anthropic-ai/mcp-playwright (npm) / executeautomation/mcp-playwright
Repository: https://github.com/executeautomation/mcp-playwright
CWE: CWE-22 (Path Traversal)
Severity: Medium

Summary

The file upload functionality accepts a local file path parameter without validation. An attacker can use path traversal to read and exfiltrate arbitrary local files by uploading them to an attacker-controlled server.

Details

The file upload tool takes a local file path as input and uploads it to a specified URL. There is no restriction on which local files can be read. Combined with a controlled upload target, this allows exfiltration of any file readable by the MCP server process.

PoC

1. Use the file upload tool with file path set to /etc/passwd or ~/.ssh/id_rsa
2. Set the upload target to an attacker-controlled server
3. The sensitive file is read and uploaded to the attacker

Impact

Arbitrary local file read and exfiltration. An attacker can steal SSH keys, environment files with secrets, database credentials, and any other file accessible to the server process.

[schneidergithub]

Where are you seeing this in the repo? If I understand correctly, the local user is uploading their password to an attacker's server, but how is an attacker changing the local user's path? This sounds like user error to me :)

[hacnho]

The attack vector here isn't a user manually uploading their own files — it's prompt injection via MCP.

MCP servers like mcp-playwright are tools invoked by LLMs (Claude, GPT, etc.) on behalf of the user. The threat model is:

1. User browses a malicious webpage or processes an attacker-crafted document through the LLM
2. The page/document contains hidden prompt injection instructions
3. The LLM, following the injected instructions, autonomously calls the file upload tool with filePath: "/etc/passwd" or ~/.ssh/id_rsa and uploads it to an attacker-controlled URL
4. The user never explicitly consented to this action

The user isn't "uploading their password to an attacker's server" — the LLM is tricked into doing it. This is why MCP tools need input validation and path restrictions — the caller (LLM) can be manipulated by untrusted content.

This is a well-documented attack class for MCP/tool-use systems. See: Anthropic's MCP security guidelines and research on indirect prompt injection.