A path traversal vulnerability (CWE-22) in the upstash/context7 MCP server allowed connected AI agents to read arbitrary host files, such as SSH keys and credentials, by exploiting insufficient path validation in the skill installation endpoint. The issue was reported and a fix adding path boundary validation was merged within six days. Users of the affected project should update to the latest version containing the merged fix.
> TL;DR : A path traversal vulnerability in context7 (49,000 GitHub stars) allowed any connected AI agent to read arbitrary files from the host machine β including SSH keys, .env secrets, and database credentials. We found it, reported it, and the fix was merged in 6 days. But this isn't an isolated case. --- The Attack Here's what an attacker can do to your AI agent right now: Craft a malicious prompt that asks the agent to install a "skill" or "workflow" The agent calls the MCP server's file operation with a path like ../../.ssh/id_rsa No path validation exists β the server reads the file and returns it Your SSH private key is now in the conversation β visible to the attacker This is not a theoretical attack. This was live code in a project used by tens of thousands of developers. --- The Discovery SpiderShield, our open-source MCP security scanner, flagged a path traversal (CWE-22) vulnerability in upstash/context7 β one of the most popular MCP-adjacent projects with 49,000+ GitHub stars . The vulnerability was in the skill file installation endpoint. The name parameter was used directly in file path construction: # Simplified β the actual vulnerable pattern path = SKILLS_DIR / (name + ".yaml") # name = "../../.ssh/id_rsa" β reads outside the intended directory No resolve() check. No parent directory validation. No character filtering. An AI agent connected to this server could be tricked β via prompt injection or a malicious skill β into reading any file on the host machine . --- What Could Be Stolen File What's in it Impact ~/.ssh/id_rsa SSH private key Access to all your servers ~/.env API keys, DB passwords Full account compromise ~/.aws/credentials AWS access keys Cloud takeover ~/.kube/config Kubernetes credentials Cluster compromise /etc/passwd System users Reconnaissance for further attacks The agent doesn't know it's being exploited. It's just following instructions β reading a "skill file" that happens to be your private key. --- The Fix We reported the vulnerability via GitHub Issue #2234 and submitted a fix in PR #2235 . The fix adds path boundary validation: resolved = path.resolve() if not resolved.is_relative_to(SKILLS_DIR.resolve()): raise ValueError("Path traversal detected") The PR was reviewed and merged in 6 days . If you're using context7, update to the latest version. --- This Is Not an Isolated Case We scanned 15,923 MCP servers with SpiderShield. Path traversal is one of the most common vulnerability patterns: 757 servers have token/credential leakage issues 36% of all MCP servers scored Grade F (failing) Path traversal specifically appears in file operation tools, workflow managers, and skill installers We've since found and fixed similar vulnerabilities in multiple other projects, submitting 37 pull requests across 28 repositories. 5 have been merged so far, in projects with a combined 86,000+ GitHub stars . --- Why MCP Servers Are Uniquely Dangerous Traditional web vulnerabilities require an attacker to find and exploit them directly. MCP server vulnerabilities are different: The AI agent is the attack vector. Traditional web app: Attacker β finds vulnerability β exploits it MCP server: Attacker β injects prompt β AI agent exploits the vulnerability for them ``` The agent has legitimate access to the MCP server's tools. The agent trusts the instructions it receives. If those instructions are poisoned β via prompt injection, a malicious tool description, or a compromised upstream skill β the agent becomes an unwitting accomplice. This means every MCP server vulnerability is amplified by the number of agents connected to it. --- How to Protect Yourself Scan your MCP server in 30 seconds: pip install spidershield spidershield scan /path/to/your/mcp-server Or check any server's rating instantly: spidershield check owner/repo What to look for in your own code: - Any file operation that takes user/agent input as a path β add resolve() + parent check - Any shell=True in subprocess calls β switch to argument arrays - Any === comparison of secrets/tokens β use crypto.timingSafeEqual() --- Timeline Date Event 2026-03-12 SpiderShield scanner flags CWE-22 in context7 2026-03-13 Issue #2234 filed, PR #2235 submitted 2026-03-19 PR merged by maintainers (4 review comments addressed) 2026-03-28 This disclosure published --- *All vulnerabilities were responsibly disclosed. The fix was merged before this post was published. SpiderShield is open source and free.* β Back to Blog