ovalInTheSand/openproject-mcp
criticalFull OpenProject MCP Server build by PMs for PMs
MCP server (purpose undetermined)
269 const { json } = await opFetch<any>(env, href);// Exploitable if MCP is exposed to untrusted prompts or if a compromised LLM can influence query results.
In runQuery, the 'href' from the query's _links.results.href is used directly in opFetch without validation. An attacker who can control the query (e.g., via a compromised LLM or if the MCP is exposed to untrusted prompts) could craft a query that returns a malicious href pointing to an internal or external URL, leading to SSRF.
ImpactAn attacker could make the server send requests to arbitrary internal or external hosts, potentially accessing internal services, cloud metadata endpoints, or exfiltrating data.
FixValidate that the href is a relative path or matches the expected OpenProject base URL before fetching. Use a URL parser to ensure it's within the allowed origin.
// Source file not analyzed: src/tools/webhooks.ts
// Finding inferred from import chain: src/server.ts:52-58
// Exploitable if MCP is exposed to untrusted prompts or if a compromised LLM can invoke webhook creation.
The webhooks.create tool likely accepts a URL parameter for the webhook target. Without validation, an attacker could provide a URL pointing to internal services (e.g., http://169.254.169.254/latest/meta-data/) or external servers, causing the MCP server to make requests to arbitrary destinations.
ImpactServer-side request forgery, potentially accessing internal cloud metadata, internal APIs, or exfiltrating data to attacker-controlled servers.
FixValidate the webhook URL against an allowlist of permitted domains or enforce that it must be HTTPS and not resolve to private IP ranges.
171export function broadcastSSEEvent(event: SSEEvent): void {
172 const message = formatSSEEvent(event);
173 connections.forEach((connection) => {
174 if (!connection.isActive) {
175 connections.delete(connection.id);
176 return;
177 }
178 if (!eventMatchesFilters(event, connection.filters)) {return;}
179 const ok = connection.send(message);
180 if (!ok) {
181 connection.isActive = false;
182 connections.delete(connection.id);
183 }
184 });
185}// Local-only MCP, requires compromised LLM to exploit.
The broadcastSSEEvent function is exported and can be called by any tool or internal code to push arbitrary events to all connected SSE clients. This could be abused by a compromised LLM or malicious tool to inject fake events, exfiltrate data via event data, or disrupt clients.
ImpactAn attacker could send arbitrary data to all SSE clients, potentially exfiltrating sensitive information or injecting malicious content (e.g., fake project updates).
FixRestrict broadcastSSEEvent to only be callable by trusted internal components, and validate/limit the data that can be broadcast. Consider adding authentication for SSE connections.
63 if (input.filters !== undefined) {params.filters = input.filters;}
64 if (input.sortBy !== undefined) {params.sortBy = input.sortBy;}// Local-only MCP, requires compromised LLM to exploit.
The filters and sortBy parameters are passed directly to the OpenProject API without validation. While the API may reject invalid values, an attacker could inject malicious filter values that cause the API to behave unexpectedly or leak data.
ImpactPotential for API abuse, data leakage, or bypassing intended access controls if the OpenProject API has vulnerabilities in filter handling.
FixValidate that filters and sortBy conform to expected schemas (e.g., array of filter objects) before passing to the API. Reject raw JSON strings if possible.
10 OP_BASE_URL: string;
11 OP_TOKEN: string;// Local-only MCP, requires compromised LLM to exploit.
The OpenProject API token (OP_TOKEN) and base URL are stored as plaintext environment variables. While this is common practice, if the environment is compromised (e.g., via server-side injection or misconfiguration), the token could be exposed.
ImpactAn attacker with access to environment variables could use the OP_TOKEN to authenticate to OpenProject and access or modify data.
FixUse a secrets manager or encrypted storage for sensitive credentials. Ensure environment variables are not logged or exposed in error messages.