Anthropic MCP Server Flaw Allows Sandbox Escape and Code Execution
gbhackersTwo newly disclosed vulnerabilities in Anthropic’s Filesystem Model Context Protocol (MCP) Server—CVE-2025-53110 and CVE-2025-53109—have exposed AI-powered environments to severe risks, including sandbox escapes, unauthorized file access, and arbitrary code execution.
These flaws, discovered by Cymulate Research Labs, highlight urgent security challenges as MCP adoption accelerates in enterprise and developer ecosystems.
Anthropic’s Model Context Protocol (MCP) is rapidly becoming the standard for enabling large language model (LLM) clients, such as Claude Desktop, to interact with external data and tools.
The Filesystem MCP Server, a Node.js-based implementation, is designed to restrict file operations to a set of “allowed directories,” theoretically keeping the AI’s access safely sandboxed.
The Vulnerabilities
| CVE ID | Name/Type | CVSS Score | Patched Version |
| CVE-2025-53110 | Directory Containment Bypass | 7.3 | 0.6.3 / 2025.7.1 |
| CVE-2025-53109 | Symlink Bypass to Code Exec | 8.4 | 0.6.3 / 2025.7.1 |
CVE-2025-53110: Directory Containment Bypass ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE