[ ⌘K ]
← BACK TO SEARCH

barwalgayatri02/MCPServer_WebScrapping

high

Creation of MCPServer Web scrapping project

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed
Python0May 20, 2026May 20, 2026GITHUB
Vulnerability Analysis[ 3 findings in 3 blocks ]
5/20/2026
high1 finding
mcp_server.py
64async def fetch_url(url: str):
65    async with httpx.AsyncClient() as client:
66        response = await client.get(url, timeout=30.0)
67        ...
68        return cleaned_response
mcp_server.py:64

// Exploitable if MCP is exposed to untrusted prompts or if an attacker can influence search results (e.g., via SEO poisoning).

The fetch_url function accepts a URL directly from search results without any validation or sanitization. An attacker could craft a search result that points to an internal service (e.g., http://169.254.169.254/latest/meta-data/) or a malicious external site, leading to Server-Side Request Forgery (SSRF).

ImpactAn attacker could use this tool to scan internal networks, access cloud metadata endpoints, or exfiltrate data to an attacker-controlled server.

FixValidate the URL against an allowlist of expected domains (e.g., only allow URLs from the docs_urls mapping). Use a URL parser to reject IP addresses, private ranges, and non-HTTP schemes.

medium1 finding
mcp_server.py
124@mcp.tool()
125async def get_docs(query: str, library: str):
126    if library not in docs_urls:
127        raise ValueError(f"Library {library} not supported by this tool")
128    query = f"site:{docs_urls[library]} {query}"
mcp_server.py:124

// Exploitable if MCP is exposed to untrusted prompts.

The library parameter is only checked against a predefined dictionary, but the query parameter is not sanitized. An attacker could inject special characters or additional search operators into the query, potentially manipulating the search API call.

ImpactAn attacker could craft a query that bypasses the site restriction or injects malicious payloads into the search request, though the impact is limited by the Serper API's own restrictions.

FixSanitize the query input to remove or escape special characters. Consider using a parameterized approach or encoding the query.

medium1 finding
mcp_server.py
43headers = {
44    'X-API-KEY': os.getenv("SERPER_API_KEY"),
45    'Content-Type': 'application/json'
46}
mcp_server.py:43

// Local-only MCP, requires compromised LLM or host access to exploit.

The SERPER_API_KEY is loaded from environment variables and used directly. If the key is missing or invalid, the error may leak information. Additionally, the key could be exposed if the server is compromised or logs are mishandled.

ImpactAn attacker with access to the server's environment or logs could obtain the API key and use it to make unauthorized requests to the Serper API.

FixEnsure the API key is stored securely (e.g., using a secrets manager) and validate its presence before use. Avoid logging the key.

Heuristic Signals
shell.execenv.exposure

Risk Score

55
LLM-based
high findings+25
medium findings+30