Anthropic Filesystem MCP EscapeRoute path-bypass flaws
EscapeRoute showed that symlink and path-prefix bypasses in Anthropic's Filesystem MCP server could break assumed file-scope restrictions.
Affected systems
MCP deployments, Coding agents
Primary threats
Capability Escalation, Tool Misuse
Impact types
Scope bypass, Unauthorized file access
CVEs
Not specified
What an auditor should now check
- Test symlink, mount, and path-normalization bypasses against file tools
- Verify allowed-root enforcement uses canonical resolved paths
- Inspect whether file operations are logged with both user-facing and resolved paths
Why this matters
Filesystem scope is one of the main safety claims in agent tooling. If it can be bypassed, file-read and file-write boundaries are not trustworthy controls.
What happened
Path-prefix and symlink assumptions in the Filesystem MCP server were insufficient, allowing scope-bypass scenarios.
Why the classification matters
A file sandbox that only works for happy paths is not a reliable control boundary.
What an auditor should now check
- Whether canonicalization happens before authorization
- Whether symlink policy is explicit and tested
- Whether file tools can escape through indirect path structures
Zealynx takeaway
A file tool is only as safe as its path-resolution semantics under attacker-controlled structure.
Control implications
- Filesystem scoping needs canonicalization, symlink policy, and invariant enforcement
- Agent sandboxes should not rely on path-prefix checks alone
- Audit logs should record resolved path targets, not only requested paths
Affected systems
- MCP deployments
- Coding agents
Impact types
- Scope bypass
- Unauthorized file access