[ ⌘K ]
← BACK TO SEARCH

chapirousIA/pje-mcp-server

critical

No description

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed
JavaScript28May 20, 2026May 20, 2026GITHUB
Vulnerability Analysis[ 4 findings in 4 blocks ]
5/20/2026
high1 finding
src/index.ts
382    const certificateConfig: CertificateConfig = {
383      certificateThumbprint: '7db4b6cc9de4785944bcf1c8f3cde03355733b84',
384      certificatePassword: '123456'
385    };
src/index.ts:370-384

// Network-exposed MCP server; credentials are visible in source code to anyone who can access the server files.

The configurarPJE method hardcodes a certificate thumbprint and password. These credentials are used to authenticate with the PJE system. Hardcoding credentials in source code is a security vulnerability as they can be extracted from the binary or source.

ImpactAn attacker with access to the source code or decompiled server can extract these credentials and use them to authenticate to the PJE system, potentially gaining unauthorized access to legal case data.

FixRemove hardcoded credentials. Use environment variables or a secure secrets manager to inject credentials at runtime.

high1 finding
src/index.ts
650private async listarCertificados() {
651    try {
652      const { stdout } = await execAsync('certutil -store My');
653      return {
654        content: [
655          {
656            type: "text",
657            text: `🔍 **Certificados Digitais Disponíveis no Windows**\n\n${stdout}`,
658          },
659        ],
660      };
src/index.ts:13

// Network-exposed MCP server; any user with access to the MCP can invoke this tool and receive certificate store output.

The tool 'pje_listar_certificados' executes a hardcoded shell command 'certutil -store My' via execAsync. While the command itself is static, the output is returned to the user. This is a shell execution capability that could be abused if the command were to become dynamic or if the output contains sensitive information. However, the primary risk is that the tool exposes shell execution functionality beyond the intended purpose of querying a legal database API.

ImpactAn attacker could potentially exploit this if the command were modified to execute arbitrary commands, but currently the command is static. The impact is limited to information disclosure from the certificate store.

FixAvoid shell execution entirely. Use Node.js crypto or a certificate library to list certificates programmatically instead of shelling out to certutil.

medium1 finding
src/index.ts
370  private async configurarPJE(args: any) {
371    const config: PJEConfig = {
372      baseUrl: args.baseUrl || process.env.PJE_BASE_URL || "https://pje.tjce.jus.br",
373      appName: args.appName || process.env.PJE_APP_NAME || "pje-tjce-1g",
374      ssoUrl: args.ssoUrl || process.env.PJE_SSO_URL,
375      clientId: args.clientId || process.env.PJE_CLIENT_ID,
376      clientSecret: args.clientSecret || process.env.PJE_CLIENT_SECRET,
377      username: args.username || process.env.PJE_USERNAME,
378      password: args.password || process.env.PJE_PASSWORD,
379    };
src/index.ts:370-379

// Network-exposed MCP server; any user can invoke this tool and set arbitrary connection parameters.

The pje_configurar tool allows the user to set arbitrary baseUrl, ssoUrl, clientId, clientSecret, username, and password. This means an attacker could configure the MCP to connect to a malicious server, potentially exfiltrating credentials or performing SSRF attacks. The tool's purpose is to configure connection to a specific legal system, but it allows arbitrary endpoints.

ImpactAn attacker could redirect the MCP to a malicious server, capture credentials, or perform SSRF attacks against internal networks.

FixRestrict baseUrl to a predefined list of allowed PJE instances, or validate the URL against a whitelist. Do not allow arbitrary credentials to be set via tool arguments.

medium1 finding
src/index.ts
161    if (filter) {
162      params.filter = typeof filter === "string" ? filter : JSON.stringify(filter);
163    }
164    if (fields) {
165      params.fields = Array.isArray(fields) ? JSON.stringify(fields) : fields;
166    }
167    if (order) {
168      params.order = typeof order === "string" ? order : JSON.stringify(order);
169    }
src/index.ts:161-177

// Network-exposed MCP server; the LLM could be tricked into sending malicious filter values.

The filter, fields, and order parameters are passed directly to the API without validation. While this is an API client, the tool exposes these parameters to the LLM, which could be used to inject malicious query parameters or perform API abuse. However, the actual injection risk is low as the parameters are sent to an external API, not executed locally.

ImpactAn attacker could craft filter strings that cause the PJE API to return unexpected data or perform unintended operations, but this is limited by the API's own security.

FixValidate that filter, fields, and order are safe strings (e.g., no special characters) before sending to the API.

Heuristic Signals
network.httpshell.execenv.exposurefilesystem.read

Risk Score

80
LLM-based
high findings+50
medium findings+30