CVE-2025-61685
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-10-06

Assigner: GitHub, Inc.

Description
Mastra is a Typescript framework for building AI agents and assistants. Versions 0.13.8 through 0.13.20-alpha.0 are vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. This issue is fixed in version 0.13.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-10-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61685
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mastra-ai mcp-docs-server 0.13.8
mastra-ai mastra *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-548 The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Directory Traversal attack in the Mastra Typescript framework (versions 0.13.8 through 0.13.20-alpha.0). Although there is a security check intended to prevent path traversal when reading file contents, this check is bypassed by later code that tries to find directory suggestions. As a result, an attacker can list the contents of arbitrary directories on the user's filesystem, including sensitive directories like the user's home directory, exposing information about the file system's structure.

Impact Analysis

This vulnerability can allow an attacker with limited privileges to disclose directory listings on the affected system. By accessing arbitrary directories, including the user's home directory, sensitive information about the file system structure and potentially sensitive files can be exposed. This can lead to information disclosure that may aid further attacks or compromise user privacy.

Mitigation Strategies

Upgrade Mastra to version 0.13.20 or later, as this version contains the fix for the directory traversal vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart