Vulnerability	Vulnerable Version
H Directory Traversal excel-mcp-server is an Excel MCP Server for manipulating Excel files Affected versions of this package are vulnerable to Directory Traversal via the `get_excel_path` function. An attacker can read, write, overwrite, and create arbitrary files and directories on the host filesystem by supplying crafted `filepath` arguments to exposed tool handlers. This can be achieved remotely without authentication, allowing exfiltration of sensitive data, destruction or corruption of files, and potential denial of service by filling disk space. This is only exploitable if the server is running in SSE or Streamable-HTTP transport mode and is accessible over the network with default or permissive configurations. How to fix Directory Traversal? Upgrade `excel-mcp-server` to version 0.1.8 or higher.	[,0.1.8)

Directory Traversal

excel-mcp-server is an Excel MCP Server for manipulating Excel files

Affected versions of this package are vulnerable to Directory Traversal via the get_excel_path function. An attacker can read, write, overwrite, and create arbitrary files and directories on the host filesystem by supplying crafted filepath arguments to exposed tool handlers. This can be achieved remotely without authentication, allowing exfiltration of sensitive data, destruction or corruption of files, and potential denial of service by filling disk space. This is only exploitable if the server is running in SSE or Streamable-HTTP transport mode and is accessible over the network with default or permissive configurations.

How to fix Directory Traversal?

Upgrade excel-mcp-server to version 0.1.8 or higher.

[,0.1.8)

Go back to all versions of this package