@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Severity:: High

Description

The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile_save_screenshot and mobile_start_screen_recording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.

Recommendation

Update the @mobilenext/mobile-mcp package to the latest compatible version. Followings are version details:

Affected version(s): < 0.0.49
Patched version(s): 0.0.49

References

GHSA-3p2m-h2v6-g9mx
CVE-2026-33989
CWE-22
CWE-73
CAPEC-310
OWASP 2021-A1
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
@appium/support has a Zip Slip arbitrary file write in its ZIP extraction - CVE-2026-30973

Tags:: npm; @mobilenext/mobile-mcp

Anything's wrong? Let us know Last updated on March 27, 2026