Nullwar3/mcp-server-http
criticalNo description
MCP server (purpose undetermined)
130server.tool("create-random-user", "Create a random user with fake data",
131 {
132 title: "Create Random User",
133 readOnlyHint: false,
134 destructiveHint: false,
135 idempotentHint: false,
136 openWorldHint: true,
137 },
138 async () => {
139 const res = await server.server.request({
140 method: "sampling/createMessage",
141 params: {
142 messages: [{
143 role: "user",
144 content: {
145 type: "text",
146 text: "Generate fake user data. The user should have a realistic name, email, address, and phone number. Return this data as a JSON object with no other text or formatter so it can be used with JSON.parse."
147 }
148 }],
149 maxTokens: 1024
150 }
151 }, CreateMessageResultSchema)
152 ...
153 try {
154 const fakeUser = JSON.parse(res.content.text
155 .trim()
156 .replace(/^```json/, "")
157 .replace(/```$/, "")
158 .trim()
159 )
160 const id = await createUser(fakeUser)
161 ...
162 } catch {
163 ...
164 }
165 }
166)// Exploitable if MCP is exposed to untrusted prompts; local-only requires compromised LLM.
The 'create-random-user' tool uses LLM sampling to generate user data and then directly parses it as JSON and passes it to createUser. The LLM output is not validated against the expected schema (name, email, address, phone). An attacker could manipulate the prompt or the LLM to generate arbitrary JSON, potentially including extra fields or malicious data that could be written to the database.
ImpactAn attacker could inject arbitrary data into the user database, potentially corrupting data or causing injection attacks if the data is later used unsafely. The LLM could also be tricked into generating code or other dangerous content.
FixValidate the LLM-generated JSON against a strict schema before using it. Ensure only expected fields are present and that they match expected types and constraints. Consider using Zod to parse and validate the data.
24server.tool("create-user", "Create a new user in the database", {
25 name: z.string(),
26 email: z.string().email(),
27 address: z.string(),
28 phone: z.string()
29}, {
30 openWorldHint: true,
31 destructiveHint: false,
32 idempotentHint: false,
33 readOnlyHint: false,
34 title: "Create a new user in the database",
35 description: "Create a new user in the database",
36}, async (params) => {
37 try {
38 const id = await createUser(params)
39 return {
40 content: [
41 { type: "text", text: `User ${id} created successfully` }
42 ]
43 }
44 } catch {
45 return {
46 content: [{
47 type: "text",
48 text: "Error creating user"
49 }]
50 }
51 }
52}
53)// Exploitable if MCP is exposed to untrusted prompts; local-only requires compromised LLM.
The 'create-user' tool accepts arbitrary string inputs for name, address, and phone without any validation beyond type checking. The email field is validated as email format, but other fields can contain any data, including malicious payloads. The tool writes to a local JSON file, but the lack of input sanitization could lead to injection if the data is later used in other contexts (e.g., displayed in a web interface).
ImpactAn attacker could inject malicious content into the user database, potentially leading to stored XSS or other injection attacks if the data is consumed by other systems. However, within the MCP context, the primary risk is data corruption or unexpected behavior.
FixImplement input validation and sanitization for all fields. Consider using a library like DOMPurify for HTML sanitization if data will be rendered in a browser. Also, validate that strings do not contain control characters or unexpected patterns.
215app.post('/mcp', async (req: express.Request, res: express.Response) => {
216 const sessionId = req.headers['mcp-session-id'] as string | undefined;
217 let transport: StreamableHTTPServerTransport;
218 if (sessionId && transports[sessionId]) {
219 transport = transports[sessionId];
220 } else if (!sessionId && isInitializeRequest(req.body)) {
221 transport = new StreamableHTTPServerTransport({
222 sessionIdGenerator: () => randomUUID(),
223 onsessioninitialized: (sessionId) => {
224 transports[sessionId] = transport;
225 },
226 });
227 ...
228 await server.connect(transport)
229 } else {
230 res.status(400).json({...});
231 return;
232 }
233 await transport.handleRequest(req, res, req.body)
234})
235app.get('/mcp', handleSessionRequest);
236app.delete('/mcp', handleSessionRequest);
237app.listen(3000);// Exploitable if MCP is exposed to untrusted network; local-only requires compromised LLM.
The MCP server exposes endpoints on port 3000 without any authentication or authorization. Any client that can reach the server can initialize a session and call any tool or resource. The only protection is a session ID, which is generated randomly but not authenticated.
ImpactAn attacker on the network can connect to the MCP server and invoke any tool, including creating users, reading user data, and potentially exploiting other vulnerabilities. This is especially critical if the server is exposed to the internet.
FixImplement authentication (e.g., API keys, OAuth) and authorization checks. Restrict access to trusted clients only. Consider using network-level controls (firewall) to limit exposure.
114server.prompt("generate-fake-user", "Generate a fake user based on a given name", {
115 name: z.string()
116}, ({ name }) => {
117 return {
118 messages: [
119 {
120 role: "user",
121 content: {
122 type: "text",
123 text: `Generate a fake user with the name ${name}. The user should have a realistic email, address, and phone number.`,
124 }
125 }
126 ]
127 }
128})// Exploitable if MCP is exposed to untrusted prompts; local-only requires compromised LLM.
The 'generate-fake-user' prompt directly interpolates user input into the prompt text without sanitization. An attacker could inject additional instructions into the name parameter, potentially causing the LLM to perform unintended actions or reveal sensitive information.
ImpactAn attacker could manipulate the LLM's behavior, potentially leading to data leakage, generation of malicious content, or other unintended outputs. This is a classic prompt injection vulnerability.
FixSanitize user input before including it in prompts. Use delimiters or structured formats to separate user input from instructions. Consider using a template that escapes special characters.