BACK TO SEARCH
Wildcard-Official/deepcontext-mcpcritical
DeepContext is an MCP server that adds symbol-aware semantic search to Claude Code, Codex CLI, and other agents for faster, smarter context on large codebases.
DeepContext is an MCP server that provides symbol-aware semantic search for large codebases, enabling AI coding agents to find relevant code chunks us...
purpose: DeepContext is an MCP server that provides symbol-threat: network exposed
RISK SCORE
0/ 100 risk
low findings+5
high findings+100
medium findings+60
capped at100
VULNERABILITY ANALYSIS · 9 findings in 9 blocks4 HIGH · 4 MEDIUM
HIGH1 finding
src/services/NamespaceManagerService.ts:60
60const resolvedPath = path.resolve(codebasePath);src/services/NamespaceManagerService.ts:60
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINMultiple methods in NamespaceManagerService use path.resolve on user-supplied codebasePath without validation, allowing path traversal attacks.
IMPACTAn attacker could manipulate codebase paths to access or modify files outside the intended scope, potentially leading to information disclosure or data corruption.
FIXValidate that the resolved path is within an allowed base directory using path.relative and checking that it does not start with '..'.
HIGH1 finding
src/services/FileProcessingService.ts:81
81const normalizedPath = path.resolve(codebasePath);src/services/FileProcessingService.ts:81
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINThe codebasePath parameter is resolved using path.resolve without any validation or sanitization. This allows an attacker to supply paths like '../../etc/passwd' to escape the intended codebase directory.
IMPACTAn attacker could read or write files outside the intended codebase directory, potentially accessing sensitive system files or overwriting critical data.
FIXValidate that the resolved path is within an allowed base directory using path.relative and checking that it does not start with '..'.
HIGH1 finding
src/services/LockService.ts:28
28const safeKey = operationKey.replace(/[^a-zA-Z0-9-_]/g, '_');src/services/LockService.ts:28
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINThe operationKey is sanitized but the resulting safeKey is used to construct a file path. However, the operationKey itself may contain path traversal sequences that are not fully sanitized (e.g., '..' is replaced with '__' but still could be used to traverse directories if the replacement doesn't prevent directory traversal).
IMPACTAn attacker could potentially write lock files to arbitrary locations, leading to denial of service or file overwrite.
FIXUse a hash of the operationKey instead of sanitizing it, or ensure the resulting path is within a designated directory.
HIGH1 finding
src/services/FileProcessingService.ts:384
384private getFileMetadataPath(codebasePath: string): string {
385 const dataDir = process.env.CODEX_CONTEXT_DATA_DIR || path.join(process.env.HOME || '~', '.codex-context');
386 const pathHash = crypto.createHash('md5').update(codebasePath).digest('hex').substring(0, 8);
387 return path.join(dataDir, `${pathHash}-file-metadata.json`);
388}src/services/FileProcessingService.ts:384
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINThe codebasePath is used to generate a hash for the metadata filename, but the hash is only 8 hex characters, which is insufficient to prevent collisions. Additionally, the dataDir is derived from environment variables that could be manipulated.
IMPACTAn attacker could cause collisions in metadata files, leading to data corruption or information disclosure.
FIXUse a full hash (e.g., SHA256) and validate that the dataDir is within an allowed directory.
MEDIUM1 finding
src/services/NamespaceManagerService.ts:185
185async clearIndexedCodebases(codebasePath?: string): Promise<{
186 success: boolean;
187 message: string;
188 namespacesCleared: string[];
189}> {
190 const namespacesCleared: string[] = [];
191
192 try {
193 if (codebasePath) {
194 // Clear specific codebase
195 const resolvedPath = path.resolve(codebasePath);
196 const indexed = this.indexedCodebases.get(resolvedPath);
197
198 if (indexed) {
199 // Clear the vector store namespace
200 await this.codebaseOperations.clearNamespace(indexed.namespace);
201 namespacesCleared.push(indexed.namespace);
202
203 // Remove from tracking
204 this.indexedCodebases.delete(resolvedPath);
205 this.logger.info(`🗑️ Cleared codebase: ${resolvedPath} (${indexed.namespace})`);
206 } else {
207 return {
208 success: false,
209 message: `Codebase not found: ${codebasePath}`,
210 namespacesCleared: []
211 };
212 }
213 } else {
214 // Clear all codebases
215 for (const indexed of this.indexedCodebases.values()) {
216 await this.codebaseOperations.clearNamespace(indexed.namespace);
217 namespacesCleared.push(indexed.namespace);
218 }
219 this.indexedCodebases.clear();
220 this.logger.info(`🗑️ Cleared all indexed codebases (${namespacesCleared.length} namespaces)`);
221 }
222
223 // Save the updated state
224 await this.saveIndexedCodebases();
225
226 return {
227 success: true,
228 message: codebasePath
229 ? `Cleared codebase: ${codebasePath}`
230 : `Cleared all ${namespacesCleared.length} indexed codebases`,
231 namespacesCleared
232 };src/services/NamespaceManagerService.ts:185
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINThe clearIndexedCodebases method allows clearing all indexed data without any confirmation or authorization check. This could be used to destroy all indexed codebase data.
IMPACTAn attacker could delete all indexed codebase data, causing denial of service and loss of search functionality.
FIXRequire confirmation or authorization before clearing all indexed data.
MEDIUM1 finding
src/services/FileProcessingService.ts:122
122// Validate path exists and is accessible
123await fs.access(codebasePath);src/services/FileProcessingService.ts:122
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINWhile fs.access is called, it only checks existence and permissions. There is no validation that the path is a directory or that it is within an allowed scope. An attacker could point to any readable directory.
IMPACTAn attacker could index arbitrary directories, potentially leaking sensitive file contents through search results.
FIXValidate that the path is a directory and is within an allowed base directory.
MEDIUM1 finding
src/services/FileProcessingService.ts:267
267private async processSingleFile(
268 filePath: string,
269 codebasePath: string,
270 options: FileProcessingOptions = {}
271): Promise<CodeChunk[]> {
272 try {
273 // Create a minimal IndexingRequest for single file processing
274 const indexingRequest: IndexingRequest = {
275 codebasePath,
276 forceReindex: false,
277 enableContentFiltering: options.enableContentFiltering !== false,
278 enableDependencyAnalysis: options.enableDependencyAnalysis !== false
279 };
280
281 // Use the IndexingOrchestrator to process the file
282 const chunks = await this.indexingOrchestrator.processFile(filePath, indexingRequest);src/services/FileProcessingService.ts:267
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINThe processSingleFile method accepts a filePath that is not validated to be within the codebasePath. An attacker could provide an arbitrary file path to read and index any file on the system.
IMPACTAn attacker could read arbitrary files on the system and make their contents searchable, leading to information disclosure.
FIXValidate that the filePath is within the codebasePath using path.relative and checking that it does not start with '..'.
MEDIUM1 finding
src/services/NamespaceManagerService.ts:384
384const normalizedPath = path.resolve(codebasePath);
385// Check if path exists
386const fs = await import('fs/promises');
387await fs.access(normalizedPath);src/services/NamespaceManagerService.ts:384
// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
EXPLAINThe getIndexingStatus method resolves the codebasePath and checks existence, but does not validate that it is within an allowed scope. An attacker could probe for existence of arbitrary files.
IMPACTAn attacker could use this as an oracle to check for existence of files on the system, aiding in reconnaissance.
FIXValidate that the resolved path is within an allowed base directory.
LOW1 finding
background-indexing-worker.mjs:22
22console.log(`[BACKGROUND] Using Wildcard API`);
23console.log(`[BACKGROUND] Wildcard API Key: ${process.env.WILDCARD_API_KEY?.substring(0, 10)}...`);
24console.log(`[BACKGROUND] Wildcard API URL: ${process.env.WILDCARD_API_URL}`);background-indexing-worker.mjs:22
// Exploitable if logs are accessible to unauthorized parties.
EXPLAINThe background indexing worker logs the first 10 characters of the Wildcard API key to the console. While truncated, this still exposes part of the key and could be captured in logs.
IMPACTAn attacker with access to logs could obtain partial API key information, potentially aiding in brute-force attacks.
FIXRemove logging of API key fragments or mask them more thoroughly.
◷ 6/1/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.