CVE-2025-61685
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-61685, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-03

Last updated on: 2025-10-06

Assigner: GitHub, Inc.

Description

Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-03
Last Modified
2025-10-06
Generated
2026-07-06
AI Q&A
2025-10-04
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mastra-ai mcp-docs-server 0.13.8
mastra-ai mastra *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-548 The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Directory Traversal attack in the Mastra Typescript framework (versions 0.13.8 through 0.13.20-alpha.0). Although there is a security check intended to prevent path traversal when reading file contents, this check is bypassed by later code that tries to find directory suggestions. As a result, an attacker can list the contents of arbitrary directories on the user's filesystem, including sensitive directories like the user's home directory, exposing information about the file system's structure.

Impact Analysis

This vulnerability can allow an attacker with limited privileges to disclose directory listings on the affected system. By accessing arbitrary directories, including the user's home directory, sensitive information about the file system structure and potentially sensitive files can be exposed. This can lead to information disclosure that may aid further attacks or compromise user privacy.

Mitigation Strategies

Upgrade Mastra to version 0.13.20 or later, as this version contains the fix for the directory traversal vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart