EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server (CVE-2025-53109 & CVE-2025-53110)
Executive Summary
The Cymulate Research Labs is committed to advancing cybersecurity by scrutinizing emerging technologies and exposing hidden risks. Our latest work turns the spotlight on Anthropic’s Model Context Protocol (MCP) - specifically the Filesystem MCP Server - and uncovers high-severity flaws that let attackers escape the server’s sandbox, tamper with any file on the host and even execute arbitrary code. These discoveries come at a time when MCP is gaining rapid traction as the “USB-C port” that connects (LLM) clients, such as Claude Desktop, to real-world data and services.
Key Findings
We demonstrate that once an adversary can invoke MCP Server tools, they can leverage legitimate MCP Server functionality to read or write anywhere on disk and trigger code execution - all without exploiting traditional memory corruption bugs or dropping external binaries. Here’s what we found:
1. Directory Containment Bypass (CVE-2025-53110)
A naive prefix-matching check lets any path that simply begins with the approved directory (e.g., /private/tmp/allowed_dir) bypass the filter, allowing unrestricted listing, reading and writing outside the intended sandbox. This breaks the server’s core security boundary, opening the door to data theft and potential privilege escalation. 
2. Symlink Bypass to Code Execution (CVE-2025-53109)
A crafted symlink can point anywhere on the filesystem and bypass the access enforcement mechanism. Attackers gain full read/write access to critical files and can drop malicious code. This lets unprivileged users fully compromise the system.
Why These Findings Are Important
MCP adoption is accelerating, meaning these vulnerabilities affect many developers and enterprise environments.
Because LLM workflows often run with elevated user privileges for convenience, successful exploitation can translate directly into root-level compromise.
Recommended Actions
1. Update to the latest patched release once available and monitor Anthropic advisories for fixes.
2. Configure every application and service to run with only the minimum privileges it needs - the Principle of Least Privilege (PLP).
3. Validate Your Defenses – The Cymulate Exposure Validation Platform already includes scenarios that recreate these MCP attacks. Use it to:
Simulate sandbox escape attack scenarios and confirm detection of directory prefix abuse and symlink exploitation.
Identify and close security gaps before adversaries discover them.
