mcpflow/HenryHaoson_Yuque-MCP-Server

high

Mirror of https://github.com/HenryHaoson/Yuque-MCP-Server

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed

★ 2◷ May 20, 2026⚙ May 20, 2026GITHUB

◆Vulnerability Analysis[ 3 findings in 3 blocks ]

◷ 5/20/2026

high1 finding

src/server.ts

271          Logger.log(`accessToken: ${accessToken}`);

src/server.ts:271

// Exploitable if logs are accessible to an attacker, e.g., in shared logging systems.

The accessToken parameter is logged in plaintext, which could expose the API token in logs or to unauthorized parties.

ImpactAn attacker with access to logs could obtain the Yuque API token and perform unauthorized actions on behalf of the user.

FixRemove logging of sensitive tokens. Use a sanitized log message or omit the token entirely.

high1 finding

src/mcp_hook.ts

14export async function mcpHook_updateMessageBody(req:express.Request) :Promise<any>{
15    const query = req.query as Record<string, string>;
16    const fixedQuery = getFixedQuery(query);
17    ...
18    if (bodyJson.method === "tools/call") {
19        if(!bodyJson.params.arguments) {
20            bodyJson.params.arguments = {};
21        }
22        bodyJson.params.arguments = {
23            ...bodyJson.params.arguments,
24            ...fixedQuery
25        };
26    }
27    return bodyJson;
28}

src/mcp_hook.ts:14-37→src/server.ts:970-971

// Exploitable when MCP is exposed over HTTP (network_exposed).

The HTTP server merges query parameters into tool call arguments, allowing an attacker to override the accessToken parameter via the URL. This enables using a different token than the one configured, potentially bypassing authentication or accessing other users' data.

ImpactAn attacker could supply an arbitrary accessToken via query parameter, gaining unauthorized access to Yuque resources belonging to other users or organizations.

FixDo not allow overriding sensitive parameters like accessToken via query parameters. Validate that only allowed parameters can be overridden, or remove the merge entirely.

medium1 finding

src/server.ts

248        namespace: z.string().describe("知识库的命名空间，格式为 user/repo"),
249        slug: z.string().describe("文档的唯一标识或短链接名称"),

src/server.ts:248-249

// Exploitable only if MCP is exposed to untrusted prompts.

The namespace and slug parameters are only validated as strings, with no format or pattern constraints. This could allow path traversal or injection into API requests, though the actual risk is limited because the values are used in URL paths to the Yuque API, not directly to the filesystem.

ImpactAn attacker might be able to craft namespace or slug values that cause unexpected API calls, but the impact is limited to the Yuque API scope.

FixAdd regex validation to ensure namespace follows the expected 'user/repo' format and slug contains only allowed characters.

◆Heuristic Signals

shell.execenv.exposurenetwork.http

◆Risk Score

LLM-based

high findings+50

medium findings+15