This vulnerability involves a path traversal flaw in the donchelo processing-claude-mcp-bridge software up to commit e017b20a4b592a45531a6392f494007f04e661bd. The flaw is located in an unspecified function within processing_server.py of the create_sketch tool, where the sketch_name argument is not properly sanitized, enabling attackers to traverse directories and potentially access unauthorized files remotely. The project follows a rolling release model, complicating version-specific identification. Despite early notification, the vendor has not issued a response or patch. The CVSS 4.0 score is 6.9 (medium), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality, integrity, and availability impacts. Public exploit code exists, but no active exploitation has been confirmed.

Successful exploitation allows remote attackers to perform path traversal via the sketch_name argument, potentially accessing or manipulating files outside intended directories. This can lead to unauthorized disclosure or modification of files with limited impact on confidentiality, integrity, and availability as indicated by the CVSS vector. No evidence of active exploitation in the wild has been reported.

No official patch or remediation is currently available, and the vendor has not responded to the issue report. Users should monitor the vendor's communications for updates and apply any future fixes promptly. Until a fix is released, restricting access to the vulnerable component and implementing network-level controls to limit exposure may reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.