CVE-2025-11489
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in wonderwhy-er DesktopCommanderMCP up to 0.2.13. This vulnerability affects the function isPathAllowed of the file src/tools/filesystem.ts. The manipulation leads to symlink following. The attack can only be performed from a local environment. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The vendor explains: "Our restriction features are designed as guardrails for LLMs to help them stay closer to what users want, rather than hardened security boundaries. (...) For users where security is a top priority, we continue to recommend using Desktop Commander with Docker, which provides actual isolation. (...) We'll keep this issue open for future consideration if we receive more user demand for improved restrictions." This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wonderwhy-er desktopcommandermcp to 0.2.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11489 is a directory traversal vulnerability in the isPathAllowed function of wonderwhy-er DesktopCommanderMCP up to version 0.2.13. The function is intended to restrict file operations to allowed directories by normalizing paths, but it fails to resolve symbolic links (symlinks). An attacker with local access can create a symlink inside an allowed directory that points to a restricted or sensitive location outside it. Because the function only checks the path string and not the resolved target, it mistakenly allows access. This enables arbitrary file read or write operations outside the intended directory, potentially exposing sensitive files or allowing code execution if executable files are overwritten. [1, 2, 4]

Impact Analysis

This vulnerability can allow an attacker with local access to bypass directory restrictions and read or modify any file accessible by the process running DesktopCommanderMCP. This includes sensitive data such as SSH keys, configuration files, or other confidential information. Additionally, if executable files are overwritten, it could lead to code execution. The severity depends on the privileges of the user running the affected service. Since the exploit requires local access and has high attack complexity, it is considered difficult to exploit but still poses a significant risk. [1, 2, 4]

Detection Guidance

This vulnerability can be detected by checking for the presence of symlinks inside allowed directories that point to restricted or sensitive locations outside those directories. A practical approach is to look for symbolic links within the allowed directory and verify their targets. For example, using the command `find /path/to/allowed/directory -type l -exec ls -l {} \;` will list all symlinks and their targets inside the allowed directory. If any symlink points outside the allowed directory, it indicates a potential exploitation of this vulnerability. Additionally, attempts to access files through such symlinks can be tested to confirm if unauthorized access is possible. [2]

Mitigation Strategies

Immediate mitigation steps include running Desktop Commander within Docker containers to provide actual isolation, as recommended by the vendor. This containment prevents the vulnerability from allowing unauthorized file access outside the container. Additionally, users should avoid running the affected versions of DesktopCommanderMCP (up to 0.2.13) on production systems, as the product is no longer supported and no official patches are available. If possible, modify or patch the isPathAllowed function to resolve canonical paths including symlinks (e.g., using Node.js's fs.realpathSync()) before validating paths to prevent symlink bypass. Until a fix is applied, restrict local user access to the system to trusted users only. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart