GHSA-3p2m-h2v6-g9mx: @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
highvulnerability
security
Summary
The @mobilenext/mobile-mcp package has a path traversal vulnerability (a security flaw where an attacker can write files outside the intended directory by using special path characters like `../`) in its `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters are passed directly to file-writing functions without checking if the paths are valid, allowing an attacker to write files anywhere on the system.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
March 27, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
LangChain
Affected Packages
@mobilenext/mobile-mcp@< 0.0.49 (fixed: 0.0.49)
Related Issues
Original source: https://github.com/advisories/GHSA-3p2m-h2v6-g9mx
First tracked: March 28, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 85%