Wireshark-MCP, an MCP Server that integrates tshark with Wireshark utilities, contains a path traversal vulnerability (CWE-22) in versions up to 1.1.5. The vulnerability exists in the wireshark_export_objects MCP tool, which accepts a dest_dir parameter that is passed directly to tshark's --export-objects flag without enforcing path restrictions. The default configuration does not enable the path sandbox (_allowed_dirs), which only activates if the environment variable WIRESHARK_MCP_ALLOWED_DIRS is set. Consequently, an attacker can specify arbitrary filesystem paths as the export destination, potentially leading to unauthorized file writes outside restricted directories. The CVSS 3.1 base score is 6.8, reflecting network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality and integrity impacts.

The vulnerability allows an attacker to control the destination directory for exported objects, potentially enabling unauthorized file writes to arbitrary locations on the filesystem. This can compromise confidentiality and integrity of data by overwriting or placing files in sensitive directories. There is no indication of availability impact. No known exploits are reported in the wild. The vulnerability affects all installations of Wireshark-MCP version 1.1.5 and earlier that have not explicitly configured the WIRESHARK_MCP_ALLOWED_DIRS environment variable to restrict export paths.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should explicitly set the WIRESHARK_MCP_ALLOWED_DIRS environment variable to restrict allowed export directories and prevent arbitrary path traversal. Avoid running wireshark_export_objects MCP tool with untrusted input for the dest_dir parameter. Monitor vendor communications for updates regarding an official patch or fix.