📄 Description (English)
A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
🤖 AI Executive Summary
CVE-2026-5327 is a command injection vulnerability in efforthye fast-filesystem-mcp versions up to 3.5.1 affecting the handleGetDiskUsage function. With a CVSS score of 6.3 (medium) and public exploit availability, this vulnerability allows remote attackers to execute arbitrary commands. The lack of vendor response and available patches creates immediate risk for organizations using this component.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 18, 2026 10:49
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using efforthye fast-filesystem-mcp in cloud infrastructure, DevOps pipelines, and file management systems. Most at-risk sectors include: Government (NCA, CITC) utilizing this component for system administration; Banking/Financial institutions (SAMA-regulated) using it in backend infrastructure; Telecommunications (STC, Mobily) for network file systems; Energy sector (ARAMCO, SEC) for operational technology systems; and Healthcare organizations managing patient data storage systems. Command injection could lead to unauthorized access, data exfiltration, system compromise, and lateral movement within critical infrastructure.
🏢 Affected Saudi Sectors
Government (NCA, CITC)
Banking and Financial Services (SAMA-regulated)
Telecommunications (STC, Mobily, Zain)
Energy (ARAMCO, SEC)
Healthcare
Cloud Service Providers
Technology and IT Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all systems running efforthye fast-filesystem-mcp versions ≤3.5.1
2. Isolate or restrict network access to affected systems until patched
3. Monitor for suspicious command execution patterns in logs
4. Implement input validation and sanitization on all disk usage queries
PATCHING GUIDANCE:
1. Contact efforthye project for security updates or consider alternative components
2. If upgrade available, test in non-production environment first
3. Apply patches immediately upon availability
COMPENSATING CONTROLS (until patch available):
1. Implement Web Application Firewall (WAF) rules to block command injection patterns (;, |, &, $(), backticks)
2. Run service with minimal privileges (non-root user)
3. Use containerization with restricted capabilities
4. Implement strict input validation: whitelist only alphanumeric characters and forward slashes for path inputs
5. Disable shell metacharacters in API parameters
DETECTION RULES:
1. Monitor for unusual process spawning from fast-filesystem-mcp service
2. Alert on command execution containing: pipe operators, semicolons, command substitution syntax
3. Log all API calls to handleGetDiskUsage function with parameter values
4. Monitor for unexpected child processes (bash, sh, cmd.exe) spawned by the service
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع الأنظمة التي تشغل efforthye fast-filesystem-mcp الإصدارات ≤3.5.1
2. عزل أو تقييد الوصول الشبكي للأنظمة المتأثرة حتى يتم تصحيحها
3. مراقبة أنماط تنفيذ الأوامر المريبة في السجلات
4. تطبيق التحقق من صحة المدخلات والتطهير على جميع استعلامات استخدام القرص
إرشادات التصحيح:
1. التواصل مع مشروع efforthye للحصول على تحديثات أمنية أو النظر في مكونات بديلة
2. إذا كان التحديث متاحاً، اختبره في بيئة غير الإنتاج أولاً
3. تطبيق التصحيحات فوراً عند توفرها
الضوابط البديلة (حتى يتم توفير التصحيح):
1. تطبيق قواعد جدار الحماية (WAF) لحجب أنماط حقن الأوامر (;, |, &, $(), علامات الاقتباس العكسية)
2. تشغيل الخدمة بأقل الامتيازات (مستخدم غير جذر)
3. استخدام الحاويات مع قدرات مقيدة
4. تطبيق التحقق الصارم من المدخلات: قائمة بيضاء فقط للأحرف الأبجدية الرقمية والشرطات المائلة للأمام
5. تعطيل أحرف الأوامر في معاملات API
قواعد الكشف:
1. مراقبة توليد العمليات غير المعتادة من خدمة fast-filesystem-mcp
2. تنبيه تنفيذ الأوامر التي تحتوي على: عوامل الأنابيب والفواصل المنقوطة وبناء جملة استبدال الأوامر
3. تسجيل جميع استدعاءات API لدالة handleGetDiskUsage مع قيم المعاملات
4. مراقبة العمليات الفرعية غير المتوقعة (bash, sh, cmd.exe) التي تم توليدها بواسطة الخدمة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control implementation
A.8.1.1 - Asset management and inventory
A.12.2.1 - Change management procedures
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Software inventory and management
PR.AC-1 - Access control policies and procedures
PR.PT-1 - Security awareness and training
DE.CM-8 - Vulnerability scans and assessments
RS.MI-2 - Incident response and recovery
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.6.1 - Internal organization
A.8.1 - Asset management
A.12.2 - Change management
A.12.6 - Management of technical vulnerabilities and exposures
A.14.2 - Development and support processes
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
Requirement 12.2 - Configuration standards
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/efforthye/fast-filesystem-mcp/
cna@vuldb.com
https://github.com/efforthye/fast-filesystem-mcp/issues/15
cna@vuldb.com
https://github.com/user-attachments/files/25822878/fast-filesystem-mcp_bug.pdf
cna@vuldb.com
https://vuldb.com/submit/780776
cna@vuldb.com
https://vuldb.com/vuln/354658
cna@vuldb.com
https://vuldb.com/vuln/354658/cti
cna@vuldb.com