MCP-INDEX

XxYouDeaDPunKxX/cloudflare-r2-remote-mcp-workercritical

Remote MCP server for Cloudflare R2, deployable on Cloudflare Workers.

This MCP server exposes Cloudflare R2 object storage operations (list, head, get, put, delete, copy, move, rename) via a remote MCP endpoint, deployab...

purpose: This MCP server exposes Cloudflare R2 object storathreat: network exposed

TypeScript · ★ 0 · Jun 11, 2026 · ⚙ Jun 12, 2026 · GITHUB ↗

heuristic signalsgithub.access aws.integration network.http env.exposure

RISK SCORE

0/ 100 risk

high findings+75

medium findings+30

capped at100

VULNERABILITY ANALYSIS · 5 findings in 5 blocks3 HIGH · 2 MEDIUM

HIGH1 finding

src/r2/keys.ts:1

1// File not provided, but referenced in config.ts line 101: import { normalizeRootPrefix } from "./r2/keys";
2// The rootPrefix is only used to prefix keys, but tools accept arbitrary keys without validation that they fall under rootPrefix.

src/index.ts:18→src/server.ts:11→src/tools/registerAllTools.ts:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).

EXPLAINThe server configures a rootPrefix to scope operations, but the tools (list, head, get, put, delete, copy, move, rename) accept arbitrary object keys without verifying they are within the rootPrefix. An attacker can access or modify objects outside the intended prefix.

IMPACTAn attacker with access to the MCP tools can list, read, write, delete, copy, move, or rename any object in the bucket, bypassing the rootPrefix restriction.

FIXValidate that all object keys start with the configured rootPrefix (if set) before performing operations. Reject keys that do not match.

HIGH1 finding

src/tools/registerAllTools.ts:1

1// File not provided, but the server registers tools: object delete, object copy, object move, object rename.
2// These allow permanent deletion and modification of objects.

src/index.ts:18→src/server.ts:11→src/tools/registerAllTools.ts:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).

EXPLAINThe server exposes tools that can delete, overwrite, or rename objects. While this is within the intended purpose, the lack of any authorization or scope restriction (beyond rootPrefix) means any user with access can destroy data.

IMPACTAn attacker can delete all objects in the bucket, or corrupt data by moving/renaming objects, causing data loss or denial of service.

FIXConsider adding read-only mode or requiring additional authorization for destructive operations. At minimum, enforce rootPrefix and validate keys.

HIGH1 finding

src/r2/keys.ts:1

1// File not provided, but the tools accept user-supplied keys without sanitization.
2// Example from object get: key is passed directly to env.R2_BUCKET.get(key).

src/index.ts:18→src/server.ts:11→src/tools/registerAllTools.ts:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).

EXPLAINObject keys are not validated for path traversal sequences (e.g., '../' or '/'). While R2 itself may reject some, the server does not perform any validation, potentially allowing access to unintended objects if the bucket allows such keys.

IMPACTAn attacker could use path traversal in object keys to access or manipulate objects outside the intended scope, especially if combined with rootPrefix bypass.

FIXSanitize object keys to reject any containing '..' or starting with '/'. Also enforce rootPrefix validation.

MEDIUM1 finding

src/r2/account-api.ts:40

40export function createAccountApi(config: ServerConfig): AccountApi {
41  const { accountId, apiToken } = requireAccountConfig(config);
42
43  return {
44    async get(path, query) {
45      const url = new URL(`${CLOUDFLARE_API_BASE}/accounts/${encodePathPart(accountId)}${path}`);
46      appendQuery(url, query);
47
48      const response = await fetch(url, {
49        headers: {
50          Accept: "application/json",
51          Authorization: `Bearer ${apiToken}`,
52        },
53        method: "GET",
54      });

src/index.ts:18→src/server.ts:11→src/tools/registerAllTools.ts:1

// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).

EXPLAINThe account tools use a Cloudflare API token with potentially broad permissions. If an attacker can call these tools, they can list buckets, get bucket info, and list bucket events. The token is stored in plaintext and used directly.

IMPACTAn attacker can enumerate all R2 buckets and their metadata, potentially discovering sensitive information about the infrastructure.

FIXRestrict the API token to only the necessary permissions. Consider disabling account tools by default (they are optional).

MEDIUM1 finding

src/config.ts:96

96    presignAccessKeyId: clean(env.R2_ACCESS_KEY_ID),
97    presignEndpoint: clean(env.R2_S3_ENDPOINT) ?? defaultR2Endpoint(accountId),
98    presignRegion: clean(env.R2_S3_REGION) ?? "auto",
99    presignSecretAccessKey: clean(env.R2_SECRET_ACCESS_KEY),

src/index.ts:40→src/config.ts:72

// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or by a compromised LLM (local_only).

EXPLAINThe presign credentials (R2_ACCESS_KEY_ID and R2_SECRET_ACCESS_KEY) are stored in plaintext environment variables. While this is common for serverless, if an attacker gains access to the environment (e.g., via SSRF or other vulnerability), they can extract these credentials.

IMPACTAn attacker with access to environment variables can generate presigned URLs for any object, or use the credentials directly to access R2.

FIXUse a secrets manager or encrypt the credentials. Ensure environment variables are not exposed in error messages or logs.

◷ 6/12/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.