blake365/macrostrat-mcp

// Exploitable only if MCP is exposed to untrusted prompts. In local-only usage, requires a compromised LLM to exploit.

The map-tiles tool constructs a URL using user-supplied parameters (scale, z, x, y, format) without validation that the resulting URL points to the intended tiles server. While the base domain is hardcoded, the path components are fully controlled by the user. An attacker could inject path traversal sequences (e.g., '../') in the 'scale' parameter to redirect requests to arbitrary paths on the tiles server, potentially accessing unintended resources or causing SSRF-like behavior.

ImpactAn attacker could craft requests to access arbitrary paths on tiles.macrostrat.org, potentially accessing internal API endpoints or other resources not intended for public exposure. This could lead to information disclosure or abuse of the tiles server.

FixValidate that the 'scale' parameter is one of the allowed enum values before constructing the URL. Additionally, sanitize or reject any path traversal characters in all user-supplied parameters used in URL construction.

// Exploitable only if MCP is exposed to untrusted prompts. In local-only usage, requires a compromised LLM to exploit.

The 'defs' tool accepts a 'parameters' string that is directly passed to URLSearchParams and appended to the API URL. There is no validation or sanitization of this string, allowing an attacker to inject arbitrary query parameters, including potentially overriding existing parameters or adding unexpected ones. This could lead to unexpected API behavior or access to unintended endpoints.

ImpactAn attacker could manipulate API requests to bypass intended constraints, access data from different endpoints, or cause the API to return unexpected results. While the base URL is fixed, the query string is fully controllable.

FixInstead of accepting a raw string, define specific input parameters for the tool and construct the query string programmatically. If a free-form string is necessary, validate it against a whitelist of allowed parameters or sanitize it to prevent injection.

// Exploitable only if MCP is exposed to untrusted prompts. In local-only usage, requires a compromised LLM to exploit.

The 'defs-autocomplete' tool accepts a 'query' string that is directly used as a query parameter without validation. An attacker could inject special characters or additional parameters by crafting the query string, potentially leading to unexpected API behavior or parameter pollution.

ImpactAn attacker could manipulate the autocomplete API request to return unintended results or cause the API to behave unexpectedly. While the impact is limited due to the fixed endpoint, it could still lead to information disclosure or bypass of intended restrictions.

FixValidate the 'query' parameter to ensure it contains only expected characters (e.g., alphanumeric and spaces). Use URLSearchParams properly to encode the value, which is already done, but consider additional validation.

// Exploitable only if MCP is exposed to untrusted prompts. In local-only usage, requires a compromised LLM to exploit.

When the map-tiles tool fails to fetch a tile image, it logs the error to console and includes the error message in the response. This could leak internal server information, such as network paths or configuration details, if the error message contains sensitive data.

ImpactAn attacker could potentially gain insight into the server's internal network or configuration by triggering errors and reading the error messages. This is low severity because the error messages are likely generic, but it could aid in further attacks.

FixAvoid exposing raw error messages to the user. Log detailed errors server-side and return a generic error message to the client.