Security Audit: 1 finding(s) in @modelcontextprotocol/server-memory #3315
Description
AgentAudit Security Audit Report
| Metric | Value |
|---|---|
| Package | @modelcontextprotocol/server-memory |
| Version | 2026.1.26 |
| Risk Score | 5/100 |
| Result | safe |
| Findings | 2 total (0 critical, 0 high, 1 medium, 1 low) |
Findings Summary
Medium Severity:
- PATH_TRAV_001: Potential path traversal in custom memory file path (dist/index.js:16)
Low Severity (by-design):
- INFO_LEAK_001: Verbose error messages to stderr (dist/index.js:31) - marked as by-design
Details
Medium: Potential path traversal in custom memory file path
Location: dist/index.js:16
Description: The MEMORY_FILE_PATH environment variable accepts relative paths that are resolved relative to the script directory. While this is user-configured and not externally exploitable, relative paths with '../' sequences could potentially write outside the intended directory. However, this is a configuration-time setting controlled by the user, not runtime input from external sources.
Affected Code:
: path.join(path.dirname(fileURLToPath(import.meta.url)), process.env.MEMORY_FILE_PATH);Remediation: Consider validating that resolved paths don't escape the intended directory, or require absolute paths only. Alternatively, document that users should use absolute paths for MEMORY_FILE_PATH.
Full Report
View the complete audit report with details, evidence, and remediation guidance:
AgentAudit Report
This audit was performed automatically by AgentAudit, the security registry for AI agent packages. If you believe any finding is incorrect, you can dispute it on the platform.