CVE-2025-61685
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mastra-ai | mcp-docs-server | 0.13.8 |
| mastra-ai | mastra | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-548 | The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Directory Traversal attack in the Mastra Typescript framework (versions 0.13.8 through 0.13.20-alpha.0). Although there is a security check intended to prevent path traversal when reading file contents, this check is bypassed by later code that tries to find directory suggestions. As a result, an attacker can list the contents of arbitrary directories on the user's filesystem, including sensitive directories like the user's home directory, exposing information about the file system's structure.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges to disclose directory listings on the affected system. By accessing arbitrary directories, including the user's home directory, sensitive information about the file system structure and potentially sensitive files can be exposed. This can lead to information disclosure that may aid further attacks or compromise user privacy.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mastra to version 0.13.20 or later, as this version contains the fix for the directory traversal vulnerability.