Wolfe-Jam/faf-mcp

v2.1.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents-md ai ai-context claude cline cursor

+14 more

developer-tools faf gemini grok mcp mcp-server model-context-protocol nodejs npm project-dna typescript vscode warp windsurf

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

Version v2.1.3 adds path confinement to block directory traversal on all caller‑supplied `path` arguments, fixing arbitrary read/write vulnerabilities.

Why it matters: The update restricts file system access to the project root and .faf context files, eliminating a critical security flaw that could allow unauthorized reads or writes; operators with prior versions must upgrade immediately.

Summary

AI summary

Path confinement now restricts filesystem access to project root and .faf context files, fixing arbitrary read/write vulnerabilities.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Adds path confinement to prevent directory traversal on all caller-supplied `path` arguments. Adds path confinement to prevent directory traversal on all caller-supplied `path` arguments. Source: llm_adapter@2026-06-11 Confidence: high	—
Security	High	Introduces a security regression test suite. Introduces a security regression test suite. Source: granite4.1:30b@2026-06-11-audit Confidence: low	—

Full changelog

Security

Path confinement on every caller-supplied path argument (CWE-22 / CWE-73 / CWE-200).

The shared getProjectPath() chokepoint (feeding the .faf tools) and the faf_read / faf_write file tools resolved a caller path straight into a filesystem read/write with no confinement — so an absolute path or ../ traversal could read any file the server process could read (e.g. /etc/passwd, ~/.ssh/id_rsa) or write outside the project.

New safe-path.ts confines reads to .faf / .fafm context files and general file ops to the project root (cwd + system temp; override with FAF_ALLOWED_ROOTS), canonicalizes through symlinks (closing the symlink bypass), and rejects traversal/absolute escapes; callTool() gains a central PATH-DENIED guard. Adds a security regression suite.

Identified by the maintainers during a sibling-server audit prompted by the coordinated disclosure of the same class of issue in grok-faf-mcp by Zhihao Zhang (Worcester Polytechnic Institute).

Upgrade: npm install -g [email protected] (or npx faf-mcp).

Assisted by Claude (Opus 4.8) · Approved by James Wolfe (@Wolfe-Jam)

Security Fixes

CVE-2024-XXXXX — Path traversal vulnerability (CWE-22/CWE-73/CWE-200) in getProjectPath(), faf_read, and faf_write fixed by enforcing path confinement

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Wolfe-Jam/faf-mcp

Get notified when new releases ship.

About Wolfe-Jam/faf-mcp

Universal persistent project context for Cursor, Windsurf, Cline, VS Code, and all MCP-compatible platforms (including Claude Desktop). IANA-registered format (application/vnd.faf+yaml). 17 native tools, AI-readiness scoring.

All releases →