Path Traversal in Bearer Token Validation Bypasses Session Authentication Controls
fast-mcp-telegram fails to normalize file paths during token validation, allowing unauthenticated attackers to bypass reserved session name protections and impersonate the default Telegram account via path traversal sequences in Bearer tokens.
CVE References
Affected
Vulnerability Description
The SessionFileTokenVerifier.verify_token() function in fast-mcp-telegram implements insufficient path validation. While it rejects exact matches against reserved session names (e.g., telegram), it fails to normalize or sanitize path separators before constructing the session file path. This is a classic path traversal vulnerability where an attacker can craft tokens containing directory traversal sequences (e.g., ../fast-mcp-telegram/telegram) to escape the intended token namespace and access protected session files. The root cause is the absence of path canonicalization and the assumption that string-matching alone is sufficient for access control.
Proof-of-Concept Significance
This disclosure demonstrates reliable, unauthenticated session hijacking against default configurations. The PoC is significant because it requires only: (1) the default session file to exist at a predictable location, and (2) network access to the HTTP endpoint. No brute force, cryptographic weakness, or leaked credentials are necessary. The attacker gains full impersonation of the default Telegram account and can execute any MCP tool the session exposes, including message access, sending, and MTProto API calls. The prefix middleware protection is ineffective because the bypass occurs at token validation, before prefixing logic executes.
Detection Guidance
Log Indicators: Monitor HTTP Bearer token values for path traversal patterns (../, ..\, URL-encoded variants %2e%2e, Unicode bypasses). Alert on tokens containing / or \ characters. Log all SessionFileTokenVerifier.verify_token() calls with token values and resulting session paths for forensic analysis.
Signatures: Detect Bearer tokens matching regex patterns: (\.\.[\\/])+ or containing path separators followed by reserved session names. In HTTP access logs, flag Authorization headers with traversal sequences.
YARA-style indicator: Token format [a-zA-Z0-9\.\.\/_]+telegram or any Bearer token where the string representation contains both directory separators and reserved session names.
Mitigation Steps
- Immediate: Apply available patches. Verify no default
telegram.sessionfiles are world-accessible or present on production systems. - Code fix: Implement proper path normalization using
os.path.normpath()andos.path.realpath(), then validate the resolved path is within the intended session directory usingpathlib.Path.is_relative_to(). - Token validation: Reject any token containing
/,\,.., or other path traversal characters before path construction. - Configuration: Disable HTTP authentication if not required; use firewall rules to restrict network access to the HTTP endpoint.
- Testing: Add unit tests validating that traversal sequences in tokens are rejected, and that session file access is strictly bounded.
Risk Assessment
Likelihood in the wild: High. Default configurations are common in development/testing deployments, and the vulnerability requires no sophisticated attack tooling. Remote, unauthenticated exploitation is trivial to automate.
Threat actor interest: High. Telegram accounts grant access to personal and group messaging, media, and potentially sensitive contacts/data. Attackers can use compromised accounts for social engineering, credential harvesting, or espionage. The low barrier to exploitation makes this attractive for broad scanning and targeting.
Blast radius: Any deployment with HTTP auth enabled, default sessions, and network exposure is at immediate risk of total account compromise.
Sources