BACK TO SEARCH
ajvkrish-art/mcp-servercritical
No description
This MCP server provides personalized question answering by storing and retrieving user context and conversation history in DynamoDB. It supports user...
purpose: This MCP server provides personalized question ansthreat: network exposed
RISK SCORE
0/ 100 risk
low findings+5
high findings+125
medium findings+30
capped at100
VULNERABILITY ANALYSIS · 8 findings in 8 blocks5 HIGH · 2 MEDIUM
HIGH1 finding
src/utils/config.ts:111
111 redis: {
112 url: process.env.REDIS_URL,
113 password: process.env.REDIS_PASSWORD,
114 },src/utils/config.ts:1
// Exploitable if MCP server is compromised or environment variables are leaked.
EXPLAINRedis password is loaded from environment variables and stored in the config object. If an attacker obtains this password, they can access the Redis instance, potentially reading or modifying cached data.
IMPACTAn attacker can connect to the Redis server, access cached data (which may include user sessions or context), and potentially disrupt service.
FIXUse Redis authentication with strong passwords and store the password in a secure secrets manager. Consider using Redis over TLS.
HIGH1 finding
src/utils/config.ts:82
82 aws: {
83 region: process.env.AWS_REGION!,
84 accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
85 secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
86 },src/utils/config.ts:1→src/database/dynamodb-client.ts:1-10
// Exploitable if MCP server is compromised or environment variables are leaked.
EXPLAINAWS access key ID and secret access key are loaded from environment variables and stored in the config object. These credentials are then used to initialize the DynamoDB client in src/database/dynamodb-client.ts (lines 6-10). If an attacker gains access to the server or the environment, they can extract these credentials and gain full access to the AWS account's DynamoDB resources.
IMPACTAn attacker with access to the server or environment variables can steal AWS credentials, leading to unauthorized access to DynamoDB tables, data exfiltration, or resource manipulation.
FIXUse AWS IAM roles (e.g., EC2 instance profiles, ECS task roles) instead of hardcoded credentials. If credentials must be used, store them in a secure secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault) and retrieve them at runtime.
HIGH1 finding
src/utils/config.ts:77
77 jwt: {
78 secret: process.env.JWT_SECRET!,
79 expiresIn: process.env.JWT_EXPIRES_IN || '24h',
80 refreshExpiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d',
81 },src/utils/config.ts:1
// Exploitable if MCP server is compromised or environment variables are leaked.
EXPLAINThe JWT secret is loaded from an environment variable and stored in the config object. If an attacker obtains this secret, they can forge arbitrary JWT tokens, bypass authentication, and impersonate any user.
IMPACTAn attacker with access to the JWT secret can forge tokens, gain unauthorized access to all authenticated endpoints (context, QA), and read/write any user's data.
FIXUse a strong, randomly generated secret and store it in a secure secrets manager. Rotate secrets periodically.
HIGH1 finding
src/utils/config.ts:107
107 ai: {
108 openaiApiKey: process.env.OPENAI_API_KEY,
109 anthropicApiKey: process.env.ANTHROPIC_API_KEY,
110 },src/utils/config.ts:1
// Exploitable if MCP server is compromised or environment variables are leaked.
EXPLAINOpenAI and Anthropic API keys are loaded from environment variables and stored in the config object. If an attacker gains access to these keys, they can use the AI services at the server's expense and potentially access sensitive data.
IMPACTAn attacker can use the stolen API keys to make unauthorized AI API calls, incurring costs and potentially accessing sensitive data processed by the AI models.
FIXStore API keys in a secure secrets manager and retrieve them at runtime. Restrict API key usage to specific IP addresses or services.
HIGH1 finding
src/utils/config.ts:115
115 monitoring: {
116 sentryDsn: process.env.SENTRY_DSN,
117 },src/utils/config.ts:1
// Exploitable if MCP server is compromised or environment variables are leaked.
EXPLAINSentry DSN is loaded from environment variables and stored in the config object. While less critical, a DSN can expose the Sentry project and allow an attacker to send fake events or access error data.
IMPACTAn attacker could send arbitrary error events to Sentry, potentially causing noise or hiding real issues. In some cases, the DSN may include a public key that allows limited access.
FIXStore the DSN in a secure secrets manager and restrict its usage. Consider using environment-specific DSNs.
MEDIUM1 finding
src/server/mcp-server.ts:224
224 private async getUserContext(args: any): Promise<any> {
225 try {
226 const { userId, limit = 10 } = args;
227
228 // This would call the context service
229 // For now, return a placeholder
230 return {
231 contexts: [],
232 total: 0,
233 userId,
234 };
235 } catch (error) {
236 logger.error('Error getting user context', error);
237 throw error;
238 }
239 }src/server/mcp-server.ts:90-113
// Network-exposed MCP server allows unauthenticated access to all user data.
EXPLAINThe MCP tools (get_user_context, store_user_context, answer_question, get_user_profile) accept a userId parameter but do not verify that the authenticated user is authorized to access that userId. The authMiddleware is applied to the HTTP routes but not to the MCP protocol endpoint (/mcp). The MCP endpoint at line 90 does not use authMiddleware, so any MCP request can specify any userId without authentication.
IMPACTAn attacker can call MCP tools with arbitrary userId values to read or write context data for any user, bypassing authentication entirely.
FIXApply authentication middleware to the MCP endpoint or validate the JWT token within the MCP request handler. Ensure that the userId in the request matches the authenticated user's ID.
MEDIUM1 finding
src/server/mcp-server.ts:224
224 private async getUserContext(args: any): Promise<any> {
225 try {
226 const { userId, limit = 10 } = args;
227 // ...
228 } catch (error) {
229 logger.error('Error getting user context', error);
230 throw error;
231 }
232 }
233
234 private async storeUserContext(args: any): Promise<any> {
235 try {
236 const { userId, content, source, tags = [] } = args;
237 // ...
238 } catch (error) {
239 logger.error('Error storing user context', error);
240 throw error;
241 }
242 }src/server/mcp-server.ts:148-163
// Network-exposed MCP server accepts arbitrary input without validation.
EXPLAINThe MCP tool handlers do not validate the types or formats of input parameters. For example, userId is expected to be a string but no validation is performed. This could lead to unexpected behavior or injection attacks if the parameters are used in database queries or other operations.
IMPACTAn attacker could provide malformed input (e.g., very long strings, special characters) that might cause errors, data corruption, or injection vulnerabilities in downstream services.
FIXAdd input validation for all tool parameters, including type checks, length limits, and sanitization. Use a validation library like Joi or Zod.
LOW1 finding
src/database/dynamodb-client.ts:237
237 async createTable(params: AWS.DynamoDB.CreateTableInput): Promise<void> {
238 try {
239 await this.service.createTable(params).promise();
240 logger.info(`Table ${params.TableName} created successfully`);
241 } catch (error) {
242 logger.error('DynamoDB createTable error', error);
243 throw error;
244 }
245 }
246
247 async deleteTable(tableName: string): Promise<void> {
248 try {
249 await this.service.deleteTable({ TableName: tableName }).promise();
250 logger.info(`Table ${tableName} deleted successfully`);
251 } catch (error) {
252 logger.error('DynamoDB deleteTable error', error);
253 throw error;
254 }
255 }src/database/dynamodb-client.ts:1
// Local-only MCP, requires compromised LLM to exploit.
EXPLAINThe DynamoDBClient class exposes createTable and deleteTable methods. While these are not directly exposed via MCP tools, they are available to any code that imports the client. If an attacker gains access to the server or if these methods are inadvertently exposed, they could create or delete DynamoDB tables.
IMPACTAn attacker could delete critical tables, causing data loss and service disruption, or create tables to consume resources.
FIXRestrict the use of createTable and deleteTable to administrative scripts only. Remove these methods from the client class or protect them with authorization checks.
◷ 5/22/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.