[ ⌘K ]
← BACK TO SEARCH

FoggyRocket/mcp-server

high

No description

This MCP server provides document parsing, indexing, and search capabilities. It accepts document content via POST, parses it (supporting markdown, YA...

purpose: This MCP server provides document parsing, indexinthreat: network exposed
TypeScript0May 20, 2026May 20, 2026GITHUB
Vulnerability Analysis[ 3 findings in 3 blocks ]
5/20/2026
high1 finding
src/app.ts
24app.use('*', cors({
25  origin: ['http://localhost:3000', 'http://localhost:3001', 'http://localhost:5173', 'http://localhost:8080'],
26  allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
27  allowHeaders: ['Content-Type', 'Authorization'],
28}))
src/index.ts:11src/app.ts:13

// Network-exposed MCP server; any attacker with network access can exploit.

The server exposes multiple endpoints (POST /docs, GET /search, GET /search/vector, POST /search/clear) without any authentication or authorization. The CORS configuration only restricts origins but does not prevent direct access from any client. The threat model is network_exposed, meaning any network attacker can call these endpoints.

ImpactAn attacker can index arbitrary documents, search indexed content, and clear the entire search index without any authentication. This could lead to data injection, information disclosure, and denial of service.

FixImplement authentication (e.g., API key, JWT) on all endpoints, especially POST /docs and POST /search/clear. Consider rate limiting and input validation.

high1 finding
src/routes/search.ts
204search.post("/clear", async (c) => {
205  try {
206    await oramaService.clearIndex();
207    
208    return c.json({
209      status: "ok",
210      message: "Search index cleared successfully"
211    });
212  } catch (err: any) {
213    return c.json({ error: err.message }, 500);
214  }
215});
src/routes/search.ts:10

// Network-exposed; any attacker can clear the index.

The POST /search/clear endpoint allows any unauthenticated user to completely wipe the search index. This is a destructive action that goes beyond the intended purpose of document parsing and search. The endpoint has no validation or authorization.

ImpactAn attacker can delete all indexed documents, causing denial of service and data loss. This is especially critical if the index is the primary storage for parsed documents.

FixRemove the clear endpoint or protect it with authentication and authorization. Alternatively, require a confirmation token or restrict to admin users.

medium1 finding
src/routes/docs.ts
42docs.post("/", async (c) => {
43  const body = await c.req.json();
44  if (!body.content || !body.filename) {
45    return c.json({ error: "Missing 'content' or 'filename'" }, 400);
46  }
47  try {
48    const parsed = await parseDoc(body.content, body.filename);
49    await oramaService.indexDocument(parsed);
50    return c.json({ 
51      status: "ok", 
52      document: parsed,
53      indexed: true 
54    });
55  } catch (err: any) {
56    return c.json({ error: err.message }, 500);
57  }
58});
src/routes/docs.ts:10src/routes/docs.ts:11

// Network-exposed; any attacker can send arbitrary payloads.

The POST /docs endpoint accepts arbitrary content and filename without any validation on size, type, or structure. An attacker can send extremely large documents to exhaust memory or disk, or send malformed content that could cause parsing errors or unexpected behavior. The filename is used in parsing but not sanitized, potentially allowing path traversal if passed to file system operations (though not evident here).

ImpactAn attacker can cause denial of service by sending large documents, or potentially exploit parsing vulnerabilities in the DocParserService (e.g., YAML deserialization, JSON injection).

FixAdd limits on content size (e.g., 1MB), validate filename extension against allowed types, and sanitize filename to prevent path traversal. Implement rate limiting.

Heuristic Signals
filesystem.readshell.execenv.exposure

Risk Score

65
LLM-based
high findings+50
medium findings+15