mifunedev/mcp-sse

// Network-exposed MCP server; any client can call this tool if authentication is missing or bypassed.

The shell_command tool accepts an arbitrary command string and executes it via tool_shell_command without any validation or sanitization. The middleware call appears to check an API key, but the tool is exposed over the network and the middleware implementation is not shown; if the key is missing or bypassed, any attacker can execute arbitrary shell commands.

ImpactAn attacker can execute arbitrary shell commands on the server, leading to full system compromise, data exfiltration, or lateral movement.

FixRemove the shell_command tool if not essential, or restrict it to a whitelist of allowed commands. Ensure the API key middleware is enforced and cannot be bypassed.

// Network-exposed MCP server; any client can call this tool.

The web_scrape tool accepts an arbitrary URL and fetches it without validation. This allows an attacker to make the server request internal or external resources, potentially accessing internal services (e.g., cloud metadata endpoints) or performing SSRF attacks.

ImpactAn attacker can probe internal networks, access cloud instance metadata, or scan internal services, leading to information disclosure or further compromise.

FixValidate the URL against an allowlist of permitted domains, block private IP ranges, and restrict the protocol to HTTPS only.

// Network-exposed MCP server; any client can call this tool.

The web_search tool accepts a query string without any validation or sanitization. While less severe than shell execution, it could be used to craft malicious search queries that exploit the underlying search API or cause unintended behavior.

ImpactAn attacker could potentially abuse the search functionality to perform injection attacks against the search backend or cause excessive resource usage.

FixValidate and sanitize the query input, implement rate limiting, and restrict search types to safe defaults.