What happened
A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox (CVSS 9.3 Critical). When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the initial path starts with the expected prefix, a crafted pathParam containing path-traversal sequences (e.g. '../') can escape the intended path prefix after URL parsing, redirecting the MCP tool's HTTP request to arbitrary upstream endpoints.
Why it matters
MCP Toolbox is Google's official library for building MCP servers that connect AI agents to backend APIs. A malicious prompt or tool input can cause the agent to make HTTP requests to unintended internal services, exfiltrate data from internal APIs, or bypass access controls by targeting endpoints the operator never intended to expose. The critical CVSS score (9.3) reflects the lack of authentication required from the agent's perspective.
Attack vector
Attacker supplies crafted pathParam values containing path-traversal sequences (e.g., '../../admin') via an LLM agent prompt or malicious tool input; the MCP Toolbox URL builder constructs a request to an unintended upstream API endpoint.
Affected systems
googleapis/mcp-toolbox (affected versions prior to fix in PR #3218)
Mitigation
Apply fix from GitHub PR #3218: https://github.com/googleapis/mcp-toolbox/pull/3218. Monitor for updated release from Google.