GHSA-j7h9-2jh7-g967: Path Policy Bypass and Timing Side-Channel in mcp-ssh-tool

The mcp-ssh-tool package functions as a production-grade Model Context Protocol (MCP) SSH automation server. It facilitates secure remote command execution, file transfers, and tunnel operations. The server relies on an HTTP transport layer secured by bearer token authentication and utilizes a localized policy engine to restrict file system access.

Versions of the software prior to 2.1.1 exhibit two distinct vulnerability classes. The first flaw involves incomplete path policy enforcement, categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The second flaw is an observable timing differential, categorized under CWE-208, within the HTTP bearer authentication mechanism.

These vulnerabilities allow an unauthenticated or unauthorized remote attacker to subvert intended security controls. The path traversal flaw permits access to restricted file system locations, while the timing side-channel facilitates the extraction of the authentication token. Both vectors independently compromise the integrity and confidentiality boundaries of the MCP server.

The path policy bypass originates from a flaw in how the server evaluates restricted directory prefixes. The authorization mechanism utilizes a deny-prefix check to block access to specific file system hierarchies. The implementation performs a raw string prefix comparison without verifying directory segment boundaries.

If an administrator configures a denial rule for the /etc directory, the engine verifies if the requested path starts with the string /etc. An attacker supplying a path such as /etc-secrets bypasses the restriction because, while it shares the denied string prefix, it represents a distinct directory entry entirely outside the denied hierarchy.

Additionally, the server fails to enforce path canonicalization prior to policy evaluation. When an application accepts file paths containing traversal sequences (..) without resolving them to their absolute form, the string-based policy check only evaluates the literal input. An attacker can supply a permitted base directory followed by traversal sequences to navigate into restricted areas.

The second vulnerability stems from the implementation of the bearer token validation logic. The server uses a standard string equality operator (e.g., ===) to compare the incoming token against the expected secret. Standard string comparison functions return false immediately upon encountering the first mismatched character. This early-exit behavior creates a measurable difference in processing time depending on how many characters match the expected string, forming a timing side-channel.

While exact source code diffs are not provided in the advisory, the vulnerability description outlines standard anti-patterns in Node.js applications. The vulnerable path authorization likely relied on the String.prototype.startsWith() method without enforcing a trailing directory separator.

// Vulnerable Implementation Example
function isDenied(targetPath, deniedPrefix) {
  // Flaw 1: No canonicalization of targetPath
  // Flaw 2: Missing segment boundary check
  return targetPath.startsWith(deniedPrefix);
}

The patched implementation must perform path resolution using native libraries such as path.resolve() or path.normalize() to eliminate traversal sequences before comparison. It must also ensure the prefix check operates on distinct path segments rather than raw substrings.

// Patched Implementation Example
const path = require('path');
 
function isDenied(targetPath, deniedPrefix) {
  const resolvedTarget = path.resolve(targetPath);
  const resolvedPrefix = path.resolve(deniedPrefix);
  
  // Ensure exact match or directory boundary
  return resolvedTarget === resolvedPrefix || resolvedTarget.startsWith(resolvedPrefix + path.sep);
}

For the timing side-channel, the vulnerable code utilized standard equality operators for cryptographic material. The patch requires replacing the standard comparison with a constant-time comparison function, which processes the entire length of the buffers regardless of where a mismatch occurs.

// Vulnerable Auth Implementation
if (providedToken === expectedToken) { /* ... */ }
 
// Patched Auth Implementation
const crypto = require('crypto');
if (crypto.timingSafeEqual(Buffer.from(providedToken), Buffer.from(expectedToken))) { /* ... */ }

Exploiting the path policy bypass requires an attacker to identify the target paths explicitly denied by the server configuration. The attacker constructs a file transfer request specifying a source or destination path that either appends a suffix to the denied directory name (e.g., /var/log-backup instead of /var/log) or utilizes unresolved traversal sequences (e.g., /tmp/../etc/passwd).

The server receives the malicious path, evaluates it against the naive startsWith filter, and permits the operation. The underlying file system API then processes the traversal sequences natively, allowing the attacker to read or write files outside the intended operational scope.

Exploiting the observable timing differential requires a high-resolution timing attack against the authentication endpoint. The attacker iteratively sends HTTP requests containing a guessed bearer token. The attacker measures the time elapsed between sending the request and receiving the 401 Unauthorized response.

By systematically varying the token character by character, the attacker identifies the correct character at each position by observing a statistically significant increase in response latency. This process is repeated until the entire token is recovered. Network jitter complicates this attack, necessitating hundreds or thousands of requests per character to achieve statistical confidence.

The CVSS v4.0 vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) assigns a base score of 8.7, indicating high severity. The primary designated impact is to Vulnerability Integrity (VI:H), reflecting the path traversal's ability to arbitrarily write files to unauthorized file system locations via the ingress file transfer functionality.

Depending on the specific operating system and server privileges, arbitrary file write capabilities often cascade into Remote Code Execution (RCE). An attacker can overwrite SSH authorized keys, place malicious binaries in system paths, or manipulate configuration files used by the mcp-ssh-tool server.

Successful extraction of the bearer token via the timing side-channel attack grants the attacker full authentication. Once authenticated, the attacker inherits all privileges associated with the MCP server, enabling them to execute remote commands, establish tunnels, and transfer files without relying on the path bypass vulnerability.

The primary remediation for both vulnerabilities is updating the mcp-ssh-tool package to version 2.1.1 or later. The update introduces canonicalization for file paths, strict segment boundary enforcement for deny-prefix rules, and constant-time comparison for bearer token authentication.

Administrators should execute npm install -g mcp-ssh-tool@latest to apply the patch across global installations. Restart the service after the installation completes to ensure the new runtime logic takes effect.

If immediate patching is unfeasible, administrators must enforce network-level mitigations. Bind the HTTP transport exclusively to the loopback interface (127.0.0.1) to prevent external access. Facilitate remote access only through authenticated SSH tunnels or internal zero-trust network architectures.

Additionally, review local filesystem policy configurations. Ensure that denied directories do not share string prefixes with sensitive but identically prefixed siblings. Monitor server logs closely for 401 Unauthorized errors generated in rapid succession, as this indicates an active timing attack against the authentication module.