Skip to content

Wolfe-Jam/claude-faf-mcp

v5.7.2 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

agents-md ai ai-context ai-readiness anthropic claude
+14 more
claude-ai claude-desktop developer-tools faf gemini github-copilot mcp mcp-server model-context-protocol nodejs npm project-dna typescript vscode

Affected surfaces

rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 3d

Version v5.7.2 adds path confinement that restricts all caller‑supplied `path` arguments to the project root or `.faf` context, preventing directory traversal and unauthorized file read/write.

Why it matters: Security: blocks arbitrary file access for any code using getProjectPath(), faf_read, or faf_write; severity scored 95. Operators must upgrade to v5.7.2 immediately.

Summary

AI summary

Path confinement now restricts all caller‑supplied path arguments to the project root or .faf context, preventing file traversal and arbitrary read/write.

Changes in this release

Security Critical

Adds path confinement to prevent directory traversal and unauthorized file access.

Adds path confinement to prevent directory traversal and unauthorized file access.

Source: llm_adapter@2026-06-11

Confidence: high
Full changelog

Security

Path confinement on every caller-supplied path argument (CWE-22 / CWE-73 / CWE-200).

The shared getProjectPath() chokepoint (feeding the .faf tools) and the faf_read / faf_write file tools resolved a caller path straight into a filesystem read/write with no confinement — so an absolute path or ../ traversal could read any file the server process could read (e.g. /etc/passwd, ~/.ssh/id_rsa) or write outside the project.

New safe-path.ts confines reads to .faf / .fafm context files and general file ops to the project root (cwd + system temp; override with FAF_ALLOWED_ROOTS), canonicalizes through symlinks (closing the symlink bypass), and rejects traversal/absolute escapes; callTool() gains a central PATH-DENIED guard. Adds a security regression suite.

Identified by the maintainers during a sibling-server audit prompted by the coordinated disclosure of the same class of issue in grok-faf-mcp by Zhihao Zhang (Worcester Polytechnic Institute).

Upgrade: npm install -g [email protected] (or one-click .mcpb).

Assisted by Claude (Opus 4.8) · Approved by James Wolfe (@Wolfe-Jam)

Security Fixes

  • CVE-2024-XXXXX – Path traversal vulnerability (CWE-22/73/200) in `getProjectPath()`, `faf_read`, and `faf_write` fixed by enforcing confinement to project root or `.faf` context.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Wolfe-Jam/claude-faf-mcp

Get notified when new releases ship.

Sign up free

About Wolfe-Jam/claude-faf-mcp

First & only persistent project context MCP. Provides .faf (Foundational AI-context Format) Project DNA with 33+ tools, Podium scoring (0-100%), and format-driven architecture. Official Anthropic Registry. 10k+ npm downloads.

All releases →

Related context

Earlier breaking changes

  • v5.9.1 Registry namespace changes to `one.faf/*`

Beta — feedback welcome: [email protected]