[ ⌘K ]
← BACK TO SEARCH

vrknetha/aisdk-mcp-bridge

critical

Bridge package enabling seamless integration between Model Context Protocol (MCP) servers and AI SDK tools. Supports multiple server types, real-time communication, and TypeScript.

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed
TypeScript23May 20, 2026May 20, 2026GITHUB
aisdkfunctioncallingmcpmcp-servermodelcontextprotocoltoolcalling
Vulnerability Analysis[ 6 findings in 5 blocks ]
5/20/2026
high1 finding
src/server.ts
87const server = spawn(serverConfig.command, serverConfig.args, {
88  env: {
89    ...process.env,
90    ...serverConfig.env,
91  },
92  stdio: ['pipe', 'pipe', 'pipe'],
93});
src/index.ts:124src/server.ts:87

// Exploitable if an attacker can modify the configuration file or if the configuration is loaded from an untrusted source.

The MCPServerManager spawns arbitrary commands from the configuration file without any validation or restriction on what commands can be executed. The configuration is loaded from a JSON file and can specify any command and arguments, allowing execution of arbitrary system commands.

ImpactAn attacker who can modify the MCP configuration file (e.g., via path traversal or other means) can execute arbitrary commands on the server with the privileges of the MCP process. This includes reading/writing files, network access, and other system operations.

FixRestrict allowed commands to a whitelist of known safe executables, or validate that the command is within an expected set. Consider running servers in a sandboxed environment.

high2 findings
src/server.ts
88env: {
89  ...process.env,
90  ...serverConfig.env,
91},
92stdio: ['pipe', 'pipe', 'pipe'],
93});
medium1 finding
src/index.ts
49async function loadMcpConfig(configPath: string): Promise<MCPServersConfig> {
50  try {
51    const configContent = await fs.readFile(configPath, 'utf-8');
52    const config = JSON.parse(configContent);
53    return MCPServersConfigSchema.parse(config);
54  } catch (error) {
55    log(`Failed to load config from ${configPath}`, error, { type: 'error' });
56    throw error;
57  }
58}
src/index.ts:118src/index.ts:49

// Exploitable if an attacker can control the configPath parameter, e.g., via command-line arguments or environment variables.

The loadMcpConfig function accepts a configPath parameter that is used directly in fs.readFile without validation. If an attacker can control this path (e.g., via user input or environment variable), they could read arbitrary files on the system.

ImpactAn attacker could read sensitive files outside the intended configuration directory, such as /etc/passwd, SSH keys, or other application secrets.

FixValidate that the configPath is within an allowed directory, or use a fixed path relative to a safe base directory.

medium1 finding
src/index.ts
63async function saveMcpConfig(
64  config: MCPServersConfig,
65  configPath: string
66): Promise<void> {
67  try {
68    await fs.writeFile(configPath, JSON.stringify(config, null, 2));
69    log('Saved MCP config', { path: configPath }, { type: 'debug' });
70  } catch (error) {
71    log(`Failed to save config to ${configPath}`, error, { type: 'error' });
72    throw error;
73  }
74}
src/index.ts:63

// Exploitable if an attacker can control the configPath parameter.

The saveMcpConfig function writes to a file path provided as a parameter without validation. An attacker who can control this path could write arbitrary content to any location on the filesystem, potentially overwriting critical files.

ImpactAn attacker could overwrite system files, configuration files, or plant malicious scripts that get executed.

FixRestrict the output path to a safe directory and validate that it does not contain path traversal sequences.

medium1 finding
src/index.ts
202if (serverName) {
203  const serverManager = MCPServerManager.getInstance(service.getConfig());
204  const config = serverManager.getConfig();
205  if (!config?.mcpServers[serverName]) {
206    const error = new Error(
207      `Server "${serverName}" not found in configuration`
208    );
209    log(`Failed to get MCP tools: ${error.message}`, undefined, {
210      type: 'error',
211    });
212    throw error;
213  }
214}
src/index.ts:180src/index.ts:202

// Low risk; requires other vulnerabilities to be exploitable.

The serverName parameter is used to index into the mcpServers object without sanitization. While it is checked for existence, it could be used for property injection if the object has inherited properties or if the attacker can control the configuration.

ImpactLimited direct impact, but could lead to unexpected behavior or information disclosure if combined with other vulnerabilities.

FixValidate that serverName is a string and does not contain special characters. Use hasOwnProperty or Object.hasOwn to check existence.

Heuristic Signals
network.httpbrowser.automationshell.execenv.exposurefilesystem.write

Risk Score

100
LLM-based
low findings+5
high findings+50
medium findings+45