[ ⌘K ]
← BACK TO SEARCH

elizabethsiegle/remote-mcp-server-authless-talk-to-db

critical

Chat w/ Cloudflare D1 Database Remote MCP Server

This MCP server provides a remote interface to a Cloudflare D1 SQL database, allowing LLMs to query and retrieve book information via natural language...

purpose: This MCP server provides a remote interface to a Cthreat: network exposed
TypeScript1May 20, 2026May 20, 2026GITHUB
cloudflare-d1cloudflare-mcpcloudflare-workerscloudflare-workers-d1cloudflareworkersmcpremote-mcp-server
Vulnerability Analysis[ 4 findings in 4 blocks ]
5/20/2026
high1 finding
src/index.ts
136sqlQuery += ` LIMIT ${limit}`;
src/index.ts:136

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The limit parameter is directly interpolated into the SQL query. Although it is validated as a number between 1 and 20, if the validation is bypassed or if the parameter is provided as a string that passes the number check (e.g., via type coercion), it could allow SQL injection. Additionally, using string interpolation for a numeric value is unnecessary and risky.

ImpactAn attacker could inject SQL commands via the limit parameter, potentially leading to data exfiltration or modification.

FixUse parameterized queries for the limit value. Since it is a number, it can be safely passed as a parameter.

high1 finding
src/index.ts
133sqlQuery += ` ORDER BY ${sortBy} ${sortBy === 'avg_rating' ? 'DESC' : 'ASC'}`;
src/index.ts:133

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The sortBy parameter is directly interpolated into the SQL query without sanitization. Although it is typed as a Zod enum, the validation only ensures it is one of the three allowed values at runtime. However, if the Zod validation is bypassed or if the parameter is provided as a string that passes the enum check but contains SQL injection payloads (e.g., via type coercion or prototype pollution), it could lead to SQL injection. More critically, the sortBy value is used directly in the ORDER BY clause without parameterization, which is a common SQL injection vector.

ImpactAn attacker could manipulate the ORDER BY clause to execute arbitrary SQL commands, potentially reading, modifying, or deleting data from the D1 database.

FixUse parameterized queries for the sortBy column name. Since column names cannot be parameterized, validate the sortBy value against a whitelist of allowed column names and use a conditional to build the query safely.

medium1 finding
src/index.ts
156let prompt;
157if (isTopRatedQuery) {
158  prompt = `Here are the top ${limit} highest rated books:
159${context}
160
161Please list these books...`;
162} else if (isRecommendationQuery) {
163  prompt = `Based on the search query "${query}", here are some recommended books:
164${context}
165
166Please provide a brief summary...`;
167} else if (isAuthorQuery) {
168  prompt = `Here are books by the author matching "${query}":
169${context}
170
171Please list these books...`;
172} else {
173  prompt = `Here are some relevant books I found for "${query}":
174${context}
175
176Please provide a brief summary...`;
177}
src/index.ts:156-177

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The user-supplied query parameter is directly interpolated into the LLM prompt without sanitization. An attacker could craft a query that injects malicious instructions, causing the LLM to ignore its system prompt and produce unintended output or leak information.

ImpactAn attacker could manipulate the LLM's behavior, potentially causing it to reveal sensitive information, generate misleading content, or perform actions outside its intended scope.

FixSanitize or escape user input before including it in the prompt. Consider using a separate input field for the query and avoid direct interpolation into the prompt template.

medium1 finding
src/index.ts
179const response = await env.AI.run("@cf/meta/llama-3.3-70b-instruct-fp8-fast", { messages });
180
181return {
182  content: [
183    {
184      type: "text",
185      text: typeof response === 'string' ? response : JSON.stringify(response),
186    },
187  ],
188};
src/index.ts:179-195

// Exploitable if MCP is exposed to untrusted prompts (network_exposed).

The searchBooks tool uses an LLM to generate a response based on database results. While this is within the intended purpose, the LLM's output is returned directly to the user without any filtering. If the database contains malicious or sensitive data, the LLM could inadvertently expose it. Additionally, the LLM could be manipulated via prompt injection to generate harmful content.

ImpactAn attacker could use prompt injection to cause the LLM to output sensitive database contents or generate misleading information.

FixImplement output filtering or sanitization on the LLM response. Consider using a more constrained prompt template that limits the LLM's ability to deviate from the intended task.

Heuristic Signals
shell.execauth.nonenetwork.httpenv.exposure

Risk Score

80
LLM-based
high findings+50
medium findings+30