jatinderbhola/mcp-taskflow-tracker-api

critical

MCP server with TypeScript REST API for intelligent project management. Features dynamic entity discovery, natural language processing, and dev-ready AI agent integration for task tracking and workload analysis.

This MCP server provides a TypeScript REST API for project and task management, integrating MCP for natural language querying, workload analysis, and ...

purpose: This MCP server provides a TypeScript REST API forthreat: network exposed

TypeScript★ 0◷ May 20, 2026⚙ May 20, 2026GITHUB

ai-agentsmcpmodel-context-protocolnatural-language-processingpostgresqlprisma-ormproject-managementprompt-engineeringredisrest-apitypescript

◆Vulnerability Analysis[ 5 findings in 3 blocks ]

◷ 5/20/2026

high3 findings

src/index.ts

10export const app = express();
11const port = process.env.PORT || 3000;
12
13app.use(express.json());
14app.use(express.urlencoded({ extended: true }));
15
16// Health check
17app.get('/health', (_, res) => res.json({ status: 'ok' }));
18
19// API routes
20app.use('/api/projects', projectRoutes);
21app.use('/api/tasks', taskRoutes);
22
23// Swagger documentation
24app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
25
26// Error handling
27app.use(errorHandler);

high1 finding

src/index.ts

13app.use(express.json());
14app.use(express.urlencoded({ extended: true }));

src/index.ts:13-14

// Network-exposed MCP server; unvalidated input can be sent by any client.

The application uses express.json() and express.urlencoded() but does not apply any input validation or sanitization middleware (e.g., express-validator, zod schemas on request bodies). The TODO comments confirm that input validation is planned but not implemented. This leaves the application vulnerable to injection attacks and malformed data.

ImpactAn attacker could send malicious payloads in request bodies or query parameters, potentially leading to NoSQL injection (if using MongoDB), SQL injection (if raw queries are used), or other injection attacks. Additionally, missing validation could allow unexpected data types to cause application errors or logic flaws.

FixImplement input validation middleware using libraries like express-validator or zod. Validate all request bodies, query parameters, and path parameters against defined schemas before passing to controllers.

low1 finding

src/index.ts

24app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));

src/index.ts:24

// Network-exposed MCP server; documentation aids attackers.

The Swagger UI documentation is exposed at /api-docs without any authentication. While this is not a vulnerability per se, it provides an attacker with a complete map of all API endpoints, request formats, and data schemas, making it easier to craft attacks.

ImpactAn attacker can discover all API endpoints and their parameters, facilitating targeted attacks against the API.

FixRestrict access to /api-docs in production, either by removing it or adding authentication middleware before the Swagger UI route.

◆Heuristic Signals

shell.execpostgres.accessenv.exposurenetwork.http

◆Risk Score

LLM-based

low findings+5

high findings+50

medium findings+30