ProfessionalWiki/MediaWiki-MCP-Server
criticalModel Context Protocol (MCP) Server to connect your AI with any MediaWiki
This MCP server enables LLM clients to read, write, and manage pages on one or more MediaWiki wikis via tools like page fetching, editing, file upload...
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:6 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP server.
The add-wiki tool allows adding any MediaWiki instance by URL. An attacker could add a malicious wiki that serves crafted responses, potentially leading to data exfiltration or injection attacks when the MCP interacts with that wiki.
ImpactAn attacker could add a rogue wiki to the MCP's configuration, causing subsequent tool calls to interact with an attacker-controlled server, potentially leaking credentials or executing malicious actions.
FixDisable add-wiki by default (allowWikiManagement=false) or restrict it to a whitelist of allowed wiki URLs. Validate that the URL points to a legitimate MediaWiki API.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:6 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP server.
The tools update-file-from-url and upload-file-from-url accept a URL parameter that is used to fetch content from an external source and upload it to the wiki. There is no validation to restrict the URL to trusted domains, allowing an attacker to make the server fetch arbitrary URLs (SSRF) and potentially upload malicious content or exfiltrate data.
ImpactAn attacker could exploit this to perform server-side request forgery (SSRF), accessing internal services, or upload arbitrary content from external sources, potentially leading to data exfiltration or further compromise.
FixImplement a whitelist of allowed URL domains or require the URL to be from a trusted source. Validate the URL scheme (e.g., only https) and consider adding a confirmation step for external URLs.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:4 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP endpoint.
The tools upload-file-from-url and update-file-from-url accept an arbitrary URL from the user and fetch content from that URL to upload to the wiki. Without validation, an attacker can make the server fetch internal resources (e.g., http://localhost:8080/admin, file:///etc/passwd) or perform SSRF attacks against internal networks.
ImpactAn attacker could read internal files, interact with internal services, or perform port scanning of the internal network, potentially leading to data exfiltration or further compromise.
FixValidate the URL against an allowlist of permitted domains/schemes (e.g., only https:// and known external domains). Block private IP ranges and loopback addresses. Consider using a URL parser to reject file:// or other dangerous schemes.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:4 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP endpoint.
The add-wiki tool accepts an arbitrary URL from the user and adds it as a wiki resource. Without validation, an attacker could add a malicious wiki server that returns crafted responses, potentially leading to SSRF, data injection, or credential theft if OAuth flows are initiated.
ImpactAn attacker could add a rogue wiki server, causing the MCP to interact with it. This could lead to SSRF, injection of malicious content, or phishing of OAuth tokens.
FixValidate the URL against an allowlist of known wiki domains or enforce that the URL must be a valid MediaWiki API endpoint. Reject private IP ranges and non-http(s) schemes.
// Source file not analyzed: src/tools/extensions/index.js
// Finding inferred from import chain: src/index.ts:6 → src/server.ts:4 → src/tools/extensions/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP server.
The cargo-query and smw-query tools accept arbitrary query strings that are executed against the wiki's Cargo or Semantic MediaWiki extensions. While these are SQL-like or #ask queries, they are executed within the wiki's database context, but an attacker could craft queries that retrieve sensitive data or cause denial of service.
ImpactAn attacker could potentially extract sensitive data from the wiki's database or perform resource-intensive queries leading to denial of service.
FixImplement query parameterization or validation to restrict the types of queries allowed. Consider limiting query complexity and enforcing read-only access.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:6 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP server.
Tools that create, update, or delete pages accept a title parameter that is used directly in API calls. While MediaWiki has its own validation, an attacker could craft titles that cause unexpected behavior or bypass intended restrictions (e.g., using special characters to access restricted namespaces).
ImpactAn attacker could potentially create or modify pages in unintended namespaces or with malicious titles, leading to content spoofing or minor disruption.
FixValidate that the title conforms to expected patterns (e.g., no invalid characters, within allowed namespaces). Consider restricting titles to a predefined set of allowed patterns.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:4 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP endpoint.
The upload-file and update-file tools accept a local file path from the user and upload that file to the wiki. If the path is not validated, an attacker could upload arbitrary files from the server's filesystem, potentially overwriting sensitive files or uploading malicious content.
ImpactAn attacker could read arbitrary files from the server (by uploading them to the wiki) or overwrite files if the upload destination is not properly restricted, leading to information disclosure or potential code execution.
FixRestrict file paths to a specific upload directory. Validate that the path does not contain '..' or symlinks that escape the intended directory. Consider requiring the file to be provided as content rather than a path.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:4 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP endpoint.
The get-file tool fetches a file page from the wiki. If the underlying implementation does not properly sanitize the file name, an attacker could potentially read arbitrary files from the server's filesystem (path traversal) or access files outside the intended wiki file repository.
ImpactAn attacker could read sensitive files on the server, such as configuration files, credentials, or other data, leading to information disclosure.
FixSanitize the file name to prevent path traversal (e.g., reject '..' and null bytes). Ensure that file access is restricted to the intended wiki file repository directory.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:4 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP endpoint.
The parse-wikitext tool renders user-supplied wikitext to HTML. If the output is not properly sanitized, an attacker could inject malicious HTML/JavaScript, leading to XSS if the output is displayed in a browser. Additionally, the tool returns parsed data like templates and external URLs, which could be used for reconnaissance.
ImpactAn attacker could craft wikitext that, when rendered, executes JavaScript in the context of any page that displays the output, leading to XSS attacks. This could also be used to probe for internal resources via template inclusion.
FixSanitize the HTML output to remove script tags and event handlers. Use a safe HTML sanitizer library. Consider returning only plain text or limiting the output to safe elements.
// Source file not analyzed: src/tools/index.js
// Finding inferred from import chain: src/index.ts:4 → src/server.ts:4 → src/tools/index.js:?
// Network-exposed MCP; exploitable by any user with access to the MCP endpoint.
The cargo-query and smw-query tools accept user-supplied queries that are executed against the Cargo or Semantic MediaWiki extensions. If these queries are not properly parameterized or sanitized, an attacker could inject malicious query fragments, potentially accessing data beyond the intended scope or performing unauthorized operations.
ImpactAn attacker could execute arbitrary Cargo/SMW queries, potentially reading sensitive data from the wiki database or performing destructive actions (e.g., dropping tables) if the database user has sufficient privileges.
FixUse parameterized queries or prepared statements to separate query structure from user input. Validate and restrict the query syntax to only allow SELECT-like operations. Apply strict access controls on the database user.
// Source file not analyzed: src/runtime/context.js
// Finding inferred from import chain: src/index.ts:6 → src/server.ts:4 → src/runtime/context.js:?
// Local-only MCP, requires compromised LLM or local access to exploit.
The MCP stores OAuth tokens for wiki authentication. If stored in plaintext on disk, an attacker with local access could retrieve them. However, this is a local-only threat and requires compromised LLM or local access.
ImpactAn attacker with local access could steal OAuth tokens and gain unauthorized access to the wiki.
FixEncrypt stored tokens using a secure key management system or use OS-level credential storage.