logo

Database

Lack of data validation - Path Traversal In wireshark-mcp

Description

wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured

Description

Impact

wireshark-mcp exposes a wireshark_export_objects MCP tool that accepts an attacker-controlled dest_dir parameter and passes it to tshark's --export-objects flag with no mandatory path restriction.

The path sandbox (_allowed_dirs) is None by default and only activates when the environment variable WIRESHARK_MCP_ALLOWED_DIRS is explicitly set. In a default installation, any directory on the filesystem can be used as the export destination.

Affected code (src/wireshark_mcp/tshark/client.py:531-543):


output_validation = self._validate_output_path(dest_dir)

# Default: _allowed_dirs = None → no restriction.

os.makedirs(dest_dir, exist_ok=True)   # creates arbitrary directories

cmd = [..., "--export-objects", f"{protocol},{dest_dir}"]...

Attack Scenario

An attacker embeds a crafted HTTP response in a pcap file (e.g. Content-Disposition: filename=authorized_keys). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling wireshark_export_objects with:


dest_dir=/home/user/.ssh/

tshark then extracts and writes the HTTP object to that path, granting the attacker SSH access.

The same technique can target:

    /etc/cron.d/

    Writable web roots

    Other sensitive filesystem locations

Additional Affected Operations

The same missing sandbox affects:

    merge_pcap_files

    editcap_trim

    editcap_split

    editcap_time_shift

    editcap_deduplicate

    text2pcap_import

Proof of Concept

Confirmed on wireshark-mcp v1.1.5 with tshark 4.6.4.

A crafted pcap’s HTTP object was successfully written to an arbitrary filesystem path when:


_allowed_dirs = None

Patches

Not yet patched.

A fix should make the path sandbox mandatory for all file-write operations rather than optional:


# Reject all write operations when no sandbox is configured

if not self._allowed_dirs:

    return json.dumps({

        "success": False,...

Workarounds

Set WIRESHARK_MCP_ALLOWED_DIRS to a restricted safe directory before starting the server:


export WIRESHARK_MCP_ALLOWED_DIRS=/tmp/wireshark_mcp_safe

This activates the existing sandbox and blocks writes outside the allowed path.

Resources

    Vulnerable code:

      src/wireshark_mcp/tshark/client.py lines 521–543

      src/wireshark_mcp/tshark/client.py lines 685–839

    CWE-22: Improper Limitation of a Pathname to a Restricted Directory

    CWE-73: External Control of File Name or Path

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-439012. NVD-2026-439013. OSV-2026-439014. GHSA-3r68-x3xc-rxpg5. GCVE-2026-43901

References

1. https://github.com/bx33661/Wireshark-MCP/security/advisories/GHSA-3r68-x3xc-rxpg

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-8RFNQ – Vulnerability | Fluid Attacks Database