GHSA-j7h9-2jh7-g967 - mcp-ssh-tool has file transfer path policy bypass and bearer token comparison ha
📡 GitHub-Advisory · 2026-05-07
GHSA-j7h9-2jh7-g967 - mcp-ssh-tool has file transfer path policy bypass and bearer token comparison ha
GHSA-j7h9-2jh7-g967 HIGH npm/mcp-ssh-tool
CVE:
Summary
mcp-ssh-tool has released version 2.1.1 with security hardening for transfer path authorization and HTTP bearer authentication.
The release addresses:
- insufficient local path policy enforcement in transfer-related filesystem handling
- incomplete canonicalization and segment-boundary handling for deny-prefix path policy checks
- non-constant-time HTTP bearer token comparison
Impact
Affected versions may allow policy bypass in transfer path handling under specific configurations, and may expose a timing side channel in bearer-token comparison for HTTP deployments.
Patched Version
Upgrade to mcp-ssh-tool >= 2.1.1.
npm install -g mcp-ssh-tool@latestWorkarounds
For deployments that cannot immediately upgrade:
- avoid exposing HTTP transport beyond loopback
- use strict filesystem policy configuration
- avoid granting MCP clients access to sensitive local transfer paths
- monitor audit logs for unexpected transfer operations
Credits
Reported by dodge1218.
📌 来源: GitHub-Advisory | 📅 2026-05-07