Filesystem MCP Server Review 2026: The Foundation Every AI Workflow Needs

Table of Contents

1. What is the Filesystem MCP Server?
2. Key Features
3. How to Use the Filesystem MCP Server
4. Security Considerations
5. Pros and Cons
6. Best Filesystem MCP Alternatives
7. Final Verdict: Is the Filesystem MCP Server Worth It?
8. Frequently Asked Questions

What is the Filesystem MCP Server?

The Filesystem MCP Server is Anthropic's official reference implementation for local file system operations through the Model Context Protocol. It ships as an npm package — @modelcontextprotocol/server-filesystem — and runs as a Node.js process that exposes seven structured tools for reading, writing, editing, and navigating files on your machine.

This is not a community project or a third-party wrapper. It lives inside the official MCP servers repository alongside the GitHub MCP Server, the PostgreSQL MCP Server, and other Anthropic-maintained reference implementations. The repository has accumulated over 79,000 GitHub stars, and the filesystem server is consistently cited as the first MCP server most developers install.

The reason is straightforward: file access is the foundation of nearly every AI-assisted workflow. Code editing, document processing, configuration management, log analysis, data transformation — all of these require the AI to read and write files. Without filesystem access, Claude operates in a vacuum. With it, Claude becomes a genuine collaborator that can inspect your project, modify your code, and organize your documents.

I have been running the Filesystem MCP Server daily since early 2025. It is the first entry in my claude_desktop_config.json and the MCP server I would keep if forced to choose only one. The rest of this review covers what it does, how the security model works, where it falls short, and whether any of the alternatives are worth considering.

The Filesystem MCP Server lives in Anthropic's official modelcontextprotocol/servers repository — the same repo with 79,000+ stars

Key Features

1. File Reading (read_file)

The read_file tool reads the complete contents of any file within the allowed directories and returns it as text. It handles UTF-8 encoded files of any size, though extremely large files will consume context window tokens quickly. For code files, configuration files, logs, markdown documents, and data files, it works exactly as expected.

What makes this more useful than it sounds is the structured return format. The MCP protocol delivers the file contents with metadata, so the AI model knows the file path, can reference specific lines, and can distinguish between an empty file and a missing file. In practice, I use this dozens of times per session — reading source files before editing, checking configuration state, and inspecting build output.

2. File Writing (write_file)

The write_file tool creates new files or overwrites existing ones with specified content. It handles the full write operation atomically — the file either gets written completely or not at all. Parent directories must already exist (use create_directory first if they do not).

This is the tool that turns Claude from a reader into a collaborator. Generate a configuration file, write a script, create a data export, produce a report — all saved directly to your file system without copy-paste. The tool respects the allowed directories constraint, so writes outside permitted paths are blocked at the server level.

3. File Editing (edit_file)

The edit_file tool performs targeted search-and-replace operations within existing files. Rather than rewriting an entire file, it matches a specific string and replaces it with new content. This is significantly safer than write_file for making changes to existing code — a malformed edit only affects the targeted section, not the entire file.

For code editing workflows, this is the most heavily used tool. Claude reads a file, identifies the section that needs changing, and uses edit_file to make a precise modification. The tool supports line-level granularity, making it practical for refactoring functions, updating imports, changing variable names, and fixing bugs without touching unrelated code.

4. Directory Creation (create_directory)

The create_directory tool creates new directories, including nested paths. If the parent directories do not exist, it creates them recursively — similar to mkdir -p in Unix. This is essential for project scaffolding, organizing output, and setting up folder structures before writing files.

A small but practical detail: the tool does not fail if the directory already exists. This idempotent behavior means Claude can safely include directory creation in multi-step workflows without checking for existence first. One less error path to worry about.

5. Directory Listing (list_directory)

The list_directory tool returns the contents of a directory as a structured list, showing file names, types (file vs. directory), and subdirectory contents. This gives Claude a map of your project structure — essential for navigating unfamiliar codebases, finding specific files, and understanding how a project is organized.

I lean on this tool constantly when working in new repositories. Before making any changes, Claude lists the top-level directory, identifies the source folder, and maps the structure. This prevents blind guessing and dramatically reduces the number of failed file reads.

6. File Metadata (get_file_info)

The get_file_info tool returns detailed metadata for a file or directory: size in bytes, creation time, last modified time, last access time, type (file, directory, or symlink), and permissions. This is useful for debugging (checking if a file was recently modified), automation (processing only files changed after a certain date), and validation (confirming file sizes before processing).

The metadata includes enough detail to build conditional workflows. Claude can check if a build artifact exists and when it was last generated, then decide whether to rebuild. It can identify empty files, detect symbolic links, and verify permissions — all without reading the file contents.

7. Allowed Directories Inspection (list_allowed_directories)

The list_allowed_directories tool returns every directory the server has permission to access. This is a transparency tool — it lets both the user and the AI model understand exactly what is in scope. If Claude attempts an operation outside these boundaries, the server blocks it. This tool makes the permission model visible rather than hidden.

8. Permission Model and Allowed Directories Configuration

The Filesystem MCP Server uses an explicit allowlist for directory access. When launching the server, you specify which directories it may access via command-line arguments. The server validates every file path against this list before executing any operation. Paths outside the allowed directories are rejected — no exceptions, no overrides.

MCP clients that support Roots (a newer protocol feature) can dynamically update the allowed directories at runtime. When a client sends Roots notifications, those Roots completely replace the server-side allowed directory list. This means the directories you configure at launch can be overridden by the client — a flexibility that is useful for IDE integrations where the workspace changes between projects.

The server also sets ToolAnnotations on each tool, distinguishing read-only tools from write-capable tools and marking which write operations are idempotent. Clients that understand these annotations can present safer approval dialogs — auto-approving reads while requiring confirmation for writes.

How to Use the Filesystem MCP Server

Claude Desktop Configuration

The most common setup is adding the Filesystem MCP Server to your Claude Desktop configuration file.

On macOS, the config file lives at:

~/Library/Application Support/Claude/claude_desktop_config.json

On Windows, the config file lives at:

%APPDATA%\Claude\claude_desktop_config.json

Add the following to the mcpServers object:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/Users/yourname/Documents",
        "/Users/yourname/Projects"
      ]
    }
  }
}

Each path listed after the package name is an allowed directory. In this example, Claude can access everything under Documents and Projects but nothing else on the system. Add or remove paths to match your workflow.

Restart Claude Desktop after saving the config. A hammer icon should appear in the input area — click it to see the filesystem tools are now available.

Claude Code Configuration

For Claude Code (the CLI), the Filesystem MCP Server is largely unnecessary because Claude Code already has built-in file access tools (Read, Edit, Write, Glob, Grep). The built-in tools are faster and more feature-rich than the MCP server equivalents.

However, if you want to use the Filesystem MCP Server in Claude Code for consistency with other MCP clients, add it to your .mcp.json project configuration:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/path/to/project"
      ]
    }
  }
}

Docker Configuration

For containerized deployments, mount the allowed directories as volumes:

docker run -i --rm \
  --mount type=bind,src=/Users/yourname/Projects,dst=/projects \
  mcp/filesystem /projects

Adding the ro flag (src=/path,dst=/projects,ro) makes the directory read-only — useful for giving Claude access to reference files without write permission.

Step-by-Step First Use

1. Install Node.js — The server requires Node.js (LTS version recommended). Download from nodejs.org if not already installed.

1. Edit the config file — Open your claude_desktop_config.json and add the filesystem server entry with your desired allowed directories.

1. Restart Claude Desktop — Close and reopen the application. The MCP server starts automatically.

1. Verify the connection — Click the hammer icon in the input box. You should see seven filesystem tools listed: read_file, write_file, edit_file, create_directory, list_directory, get_file_info, and list_allowed_directories.

1. Test with a simple request — Ask Claude to "list the files in my Documents folder" or "read the contents of my README.md." Claude will invoke the appropriate tool and ask for your approval before executing.

Security Considerations

The Filesystem MCP Server's security model is both its greatest strength and the area requiring the most scrutiny. Here is what I found after deliberately testing the boundaries.

What It CAN Access

The server can read, write, and edit any file within the configured allowed directories. This includes all subdirectories recursively. If you allow /Users/yourname/Projects, every file in every subfolder of Projects is in scope. There is no depth limit and no file-type restriction.

What It Blocks

Any path outside the allowed directories is rejected at the server level. The validation happens before the operation executes — it is not a client-side check that could be bypassed. Relative paths that attempt to traverse above an allowed directory (../../etc/passwd) are resolved to absolute paths and checked against the allowlist.

The CVE Incidents (2025)

Two vulnerabilities were discovered in versions prior to 0.6.4:

CVE-2025-53110 (CVSS 7.3) — A directory containment bypass through naive prefix-matching. If /tmp/allowed was an allowed directory, an attacker could access /tmp/allowed_credentials because the path started with the same prefix. The fix added proper directory boundary validation.

CVE-2025-53109 (CVSS 8.4) — A symlink bypass that allowed escaping the allowed directory boundary. A crafted symlink inside an allowed directory could point to any location on the filesystem, giving read/write access to files outside the sandbox. The fix added symlink resolution before path validation.

Both vulnerabilities were patched in version 2025.7.1 (npm) and 0.6.4. If you are running an older version, update immediately. The patched version resolves symlinks and validates boundaries correctly.

Practical Security Recommendations

• Scope narrowly. Allow only the directories Claude actually needs. /Users/yourname is too broad. /Users/yourname/Projects/current-project is better.
• Keep the server updated. The CVE incidents demonstrate that security patches matter. Pin to the latest version or use npx -y to always fetch the newest release.
• Use read-only mounts for reference directories. If Claude only needs to read documentation or configuration, mount the directory as read-only in Docker.
• Review ToolAnnotations. Clients that understand tool annotations can auto-approve reads while requiring explicit confirmation for writes. This adds a human-in-the-loop check on destructive operations.
• Avoid symlinks in allowed directories unless you trust every link target. The CVE-2025-53109 patch resolves symlinks, but avoiding them reduces attack surface.

Pros and Cons

Best Filesystem MCP Alternatives

The Filesystem MCP Server handles local file access. But if your files live in the cloud, or you need more advanced local file operations, these alternatives serve different use cases.

AWS S3 MCP Server

The S3 MCP Server provides bucket and object management through MCP tools. It handles listing buckets, reading objects, uploading files, and managing metadata. Best for teams whose primary file storage lives in AWS. The main trade-off: it requires AWS credentials and IAM configuration, which adds setup complexity compared to the zero-auth filesystem server.

Google Drive MCP Server

The Google Drive MCP Server integrates with Google Drive, Docs, Sheets, Slides, and Calendar. It handles listing, reading, and searching files through OAuth authentication. The strongest use case is teams already embedded in the Google ecosystem who want Claude to access shared documents. It does not replace local filesystem access — it complements it for cloud-stored documents.

Dropbox MCP Server

The Dropbox MCP Server provides file and folder management through the Dropbox API. It supports reading, writing, moving, and deleting files in your Dropbox account. Best for individuals or teams using Dropbox as their primary cloud storage. Like the Google Drive option, this handles a fundamentally different storage layer than local filesystem access.

Enhanced Community Alternatives

Several community-built filesystem MCP servers extend the official server's capabilities:

• @shtse8/filesystem-mcp — Adds batch operations (read multiple files, delete multiple items in one request), reducing round trips and token usage.
• @cyanheads/filesystem-mcp-server — Adds regex-based search-and-replace in update_file, plus a set_filesystem_default tool for setting a working directory.
• @redf0x1/mcp-server-filesystem — 12 tools including glob pattern search, head+tail file reading, and command execution.

These community servers add features the official server lacks. The trade-off is that they are not maintained by Anthropic, so security patches and protocol updates may lag behind the reference implementation.

Final Verdict: Is the Filesystem MCP Server Worth It?

Yes. The Filesystem MCP Server is not optional — it is foundational. If you are using Claude Desktop or any MCP-compatible client for development work, document processing, or project management, this server should be the first one you install.

The seven tools cover the essential operations cleanly. The allowed directories model provides a security boundary that is easy to understand and configure. The one-command install means you can go from zero to working file access in under two minutes. And as an Anthropic-maintained reference implementation, it tracks protocol changes faster than any community alternative.

The security history is the main concern. Two CVEs in 2025 — including a symlink escape rated 8.4 — are serious. Both have been patched, and the current codebase includes proper symlink resolution and directory boundary validation. But the incidents are a reminder that "official" does not mean "infallible." Keep the server updated.

The missing features (no file search, no move/rename, no streaming for large files) are real limitations. For most workflows, they are minor. If batch operations or content search are critical to your use case, consider pairing the official server with one of the enhanced community alternatives.

Rating: 4.5/5 — The Filesystem MCP Server is the bedrock of the MCP ecosystem. It does its core job exceptionally well, the security model is sound (post-patches), and it is maintained by the people who created the protocol. The half-point deduction is for the CVE history and the handful of missing convenience features.

Browse the Filesystem MCP Server on Skiln →

Frequently Asked Questions

Is the Filesystem MCP Server free?

Yes. The Filesystem MCP Server is completely free and open source under the MIT license. It is published on npm as @modelcontextprotocol/server-filesystem and can be installed with a single npx command. There are no paid tiers, usage limits, or licensing restrictions.

How do I install the Filesystem MCP Server?

Add it to your Claude Desktop configuration file (claude_desktop_config.json) with the command npx, arguments -y @modelcontextprotocol/server-filesystem, followed by the directory paths you want Claude to access. Restart Claude Desktop and the server starts automatically. No separate installation step is required.

Is the Filesystem MCP Server safe to use?

The current version (2025.7.1+) includes patches for two CVEs discovered in mid-2025 — a symlink bypass and a prefix-matching directory escape. The patched version resolves symlinks before validation and uses proper directory boundary checks. Keep the server updated and scope your allowed directories narrowly for the strongest security posture.

What tools does the Filesystem MCP Server provide?

Seven tools: read_file (read file contents), write_file (create or overwrite files), edit_file (search-and-replace within files), create_directory (create folders), list_directory (list folder contents), get_file_info (file metadata like size and timestamps), and list_allowed_directories (show which directories the server can access).

Does the Filesystem MCP Server work with Claude Code?

Claude Code has built-in file access tools (Read, Edit, Write, Glob, Grep) that are more capable than the MCP server equivalents. The Filesystem MCP Server is primarily designed for Claude Desktop and other MCP clients that lack native file access. You can add it to Claude Code via .mcp.json, but it is redundant for most workflows.

Can the Filesystem MCP Server access files outside allowed directories?

No. The server validates every file path against the configured allowed directories before executing any operation. Paths outside these boundaries are rejected. After the 2025 security patches, this includes resolving symlinks and preventing directory prefix-matching bypasses.

What is the difference between the Filesystem MCP Server and the Google Drive MCP?

The Filesystem MCP Server accesses files on your local disk. The Google Drive MCP Server accesses files stored in Google Drive cloud storage. They serve different storage layers. Use the Filesystem MCP for local development and project files. Use Google Drive MCP for cloud-hosted documents and team-shared files. They can run side by side.

Are there better alternatives to the Filesystem MCP Server?

For local file access, the official Filesystem MCP Server is the most reliable option because Anthropic maintains it alongside the protocol itself. Community alternatives like @shtse8/filesystem-mcp add batch operations and @redf0x1/mcp-server-filesystem adds glob search, but they trade official maintenance for extra features. For cloud files, use the S3, Google Drive, or Dropbox MCP servers instead.

Related Articles

• Top 10 MCP Servers Every Developer Needs in 2026
• MCP Security Guide: What Every Developer Should Know
• What is MCP? The Model Context Protocol Explained
• How to Troubleshoot MCP Server Issues
• MCP Elicitation: The Protocol Feature Most Developers Miss