216.73.217.98

CVE-2025-66689

· Published 12/01/2026 17:15 · Modified 13/01/2026 14:03

Labels: CVE-2025-66689 2026-01-12CVE-2025-66689CWE-22[email protected]

Essential information

Published
12/01/2026 17:15
Modified
13/01/2026 14:03
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
zen / zen mcp server cpe:2.3:a:zen:zen_mcp_server:<9.8.2:*:*:*:*:*:*:*

References