wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured

CVE-2026-43901 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Description

Impact

wireshark-mcp exposes a wireshark_export_objects MCP tool that accepts an attacker-controlled dest_dir parameter and passes it to tshark's --export-objects flag with no mandatory path restriction.

The path sandbox (_allowed_dirs) is None by default and only activates when the environment variable WIRESHARK_MCP_ALLOWED_DIRS is explicitly set. In a default installation, any directory on the filesystem can be used as the export destination.

Affected code (src/wireshark_mcp/tshark/client.py:531-543):


output_validation = self._validate_output_path(dest_dir)

# _validate_output_path only enforces the sandbox when _allowed_dirs is set.

# Default: _allowed_dirs = None → no restriction.

os.makedirs(dest_dir, exist_ok=True)   # creates arbitrary directories

cmd = [..., "--export-objects", f"{protocol},{dest_dir}"]

Attack Scenario

An attacker embeds a crafted HTTP response in a pcap file (e.g. Content-Disposition: filename=authorized_keys). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling wireshark_export_objects with:


dest_dir=/home/user/.ssh/

tshark then extracts and writes the HTTP object to that path, granting the attacker SSH access.

The same technique can target:

  • /etc/cron.d/

  • Writable web roots

  • Other sensitive filesystem locations

Additional Affected Operations

The same missing sandbox affects:

  • merge_pcap_files

  • editcap_trim

  • editcap_split

  • editcap_time_shift

  • editcap_deduplicate

  • text2pcap_import

Proof of Concept

Confirmed on wireshark-mcp v1.1.5 with tshark 4.6.4.

A crafted pcap’s HTTP object was successfully written to an arbitrary filesystem path when:


_allowed_dirs = None

Patches

Not yet patched.

A fix should make the path sandbox mandatory for all file-write operations rather than optional:


# Reject all write operations when no sandbox is configured

if not self._allowed_dirs:

    return json.dumps({

        "success": False,

        "error": {

            "type": "SecurityError",

            "message": "Set WIRESHARK_MCP_ALLOWED_DIRS before using file-write operations"

        }

    })

Workarounds

Set WIRESHARK_MCP_ALLOWED_DIRS to a restricted safe directory before starting the server:


export WIRESHARK_MCP_ALLOWED_DIRS=/tmp/wireshark_mcp_safe

This activates the existing sandbox and blocks writes outside the allowed path.

Resources

  • Vulnerable code:

  • src/wireshark_mcp/tshark/client.py lines 521–543

  • src/wireshark_mcp/tshark/client.py lines 685–839

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory

  • CWE-73: External Control of File Name or Path

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-05 20:15:12 UTC
Updated
2026-05-13 15:20:16 UTC
GitHub reviewed
2026-05-05 20:15:12 UTC
NVD published
2026-05-11

EPSS Score

Score Percentile
0.04% 13.69%

CVSS Scores

Base score Version Severity Vector
6.8 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-3r68-x3xc-rxpg ↗
CVE CVE-2026-43901 ↗

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • bx33661 (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip wireshark-mcp <= 1.1.5

References

cvelogic Threat Intelligence