[ ⌘K ]
← BACK TO SEARCH

vinothvino42/mcp-weather

high

MCP Weather is a Model Context Protocol (MCP) server that provides current weather information for any city. It exposes an API endpoint to fetch real-time weather data by city location.

This MCP server provides current weather information for any city by fetching real-time weather data from the Open-Meteo API. It accepts a city name, ...

purpose: This MCP server provides current weather informatithreat: network exposed
TypeScript0May 20, 2026May 20, 2026GITHUB
Vulnerability Analysis[ 2 findings in 2 blocks ]
5/20/2026
high1 finding
src/main.ts
18const response = await fetch(
19  `https://geocoding-api.open-meteo.com/v1/search?name=${city}&count=10&language=en&format=json`
20);
src/main.ts:1-3

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The city parameter is directly interpolated into the URL without any validation or sanitization. An attacker could inject special characters or URL fragments to manipulate the request, potentially causing the server to make requests to unintended endpoints or perform SSRF attacks.

ImpactAn attacker could potentially redirect the geocoding request to an internal service or a malicious external server, leading to information disclosure or further exploitation.

FixValidate and sanitize the city input. Use URL encoding (e.g., encodeURIComponent) to ensure the city parameter is properly encoded before insertion into the URL.

high1 finding
src/main.ts
38const weatherResponse = await fetch(
39  `https://api.open-meteo.com/v1/forecast?latitude=${latitude}&longitude=${longitude}&hourly=temperature_2m&current=temperature_2m,relative_humidity_2m,wind_speed_10m,precipitation,rain,showers,cloud_cover,apparent_temperature`
40);
src/main.ts:1-3

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The latitude and longitude values obtained from the geocoding API response are directly interpolated into the forecast API URL without validation. Although these values come from an external API, an attacker could potentially manipulate the geocoding response (e.g., via DNS rebinding or if the geocoding API is compromised) to inject malicious coordinates, leading to SSRF.

ImpactAn attacker could cause the server to make requests to arbitrary IP addresses or internal services, potentially leading to information disclosure or further exploitation.

FixValidate that latitude and longitude are within valid ranges (latitude -90 to 90, longitude -180 to 180) and are numeric. Use URL encoding for safety.

Heuristic Signals
shell.execnetwork.httpauth.none

Risk Score

50
LLM-based
high findings+50