@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Description

The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile_save_screenshot and mobile_start_screen_recording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.

Recommendation

Update the @mobilenext/mobile-mcp package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.0.49
• Patched version(s): 0.0.49

References

• GHSA-3p2m-h2v6-g9mx
• CVE-2026-33989
• CWE-22
• CWE-73
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
• @mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url - CVE-2026-35394
• Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write - CVE-2026-35214
• Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@mobilenext/mobile-mcp