BACK TO SEARCH
sotanengel/local-db-mcp-servercritical
No description
This MCP server provides a web-based interface for managing local DuckDB databases, allowing users to upload CSV/TSV files or DuckDB files, view table...
purpose: This MCP server provides a web-based interface forthreat: network exposed
RISK SCORE
0/ 100 risk
high findings+25
medium findings+90
capped at100
VULNERABILITY ANALYSIS · 7 findings in 6 blocks1 HIGH · 6 MEDIUM
HIGH1 finding
mcp_server.py:175
175 # SELECT文にLIMITを追加
176 if query.strip().upper().startswith("SELECT") and "LIMIT" not in query.upper():
177 query = f"{query.rstrip(';')} LIMIT {limit}"
178 logger.info(f"Added LIMIT {limit} to SELECT query")
179
180 result = conn.execute(query).fetchall()mcp_server.py:175
// Exploitable only if MCP is exposed to untrusted prompts (e.g., via LLM agent). Requires compromised LLM to exploit.
EXPLAINThe MCP server tool 'execute_query' accepts a user-supplied SQL query string. The code directly concatenates this user input into a DuckDB SQL command without any sanitization or parameterization. An attacker can craft a query to bypass the intended SELECT-only execution, potentially leading to arbitrary code execution within the DuckDB context or data exfiltration.
IMPACTAn attacker can execute arbitrary SQL commands against the local DuckDB database, potentially reading sensitive data, modifying schema, or executing destructive operations if DuckDB allows it.
FIXUse DuckDB's parameterized queries or ensure all user input is strictly validated and sanitized before being passed to the database engine. Do not concatenate user input directly into SQL strings.
MEDIUM1 finding
mcp_server.py:175
175 result = conn.execute(query).fetchall()mcp_server.py:175
// Exploitable only if MCP is exposed to untrusted prompts (e.g., via LLM agent). Requires compromised LLM to exploit.
EXPLAINThe 'execute_query' tool accepts a user-supplied SQL query string. The code directly concatenates this user input into a DuckDB SQL command without any sanitization or parameterization. An attacker can craft a query to bypass the intended SELECT-only execution, potentially leading to arbitrary code execution within the DuckDB context or data exfiltration.
IMPACTAn attacker could potentially execute arbitrary SQL commands against the local DuckDB database, potentially reading sensitive data or modifying the database schema.
FIXUse DuckDB's parameterized queries or ensure all user input is strictly validated and sanitized before being passed to the database engine. Do not concatenate user input directly into SQL strings.
MEDIUM1 finding
mcp_server.py:115
115 for col in columns_info:
116 col_name = col[0]
117 col_type = col[1]
118 nullable = "YES" if col[2] else "NO"
119 default = col[3] if col[3] is not None else ""
120 comment = column_comments.get(col_name, "")
121 response.append(f"| {col_name} | {col_type} | {nullable} | {default} | {comment} |")mcp_server.py:115
// Exploitable only if MCP is exposed to untrusted prompts (e.g., via LLM agent). Requires compromised LLM to exploit.
EXPLAINThe 'get_table_info' tool accepts a user-supplied table name and column name. These are directly interpolated into a DuckDB query. This allows an attacker to inject SQL into the query, potentially bypassing the WHERE clause or executing unintended commands.
IMPACTAn attacker could potentially execute arbitrary SQL commands against the local DuckDB database, potentially reading sensitive data or modifying the database schema.
FIXValidate the table name and column name against a whitelist of known names or use DuckDB's parameterized query features where available. Avoid direct string interpolation of user input into SQL commands.
MEDIUM2 findings
mcp_server.py:145
145 table_comment_result = conn.execute(f"SELECT comment FROM duckdb_tables() WHERE table_name = '{table_name}'").fetchone()MEDIUM1 finding
mcp_server.py:97
97 try:
98 column_comments_result = conn.execute(f"""
99 SELECT column_name, comment
100 FROM duckdb_columns()
101 WHERE table_name = '{table_name}' AND comment IS NOT NULL
102 """ ).fetchall()mcp_server.py:97
// Exploitable only if MCP is exposed to untrusted prompts (e.g., via LLM agent). Requires compromised LLM to exploit.
EXPLAINThe 'get_table_info' tool accepts a user-supplied table name and column name. These are directly interpolated into a DuckDB query. This allows an attacker to inject SQL into the query, potentially bypassing the WHERE clause or executing unintended commands.
IMPACTAn attacker could potentially execute arbitrary SQL commands against the local DuckDB database, potentially reading sensitive data or modifying the database schema.
FIXValidate the table name and column name against a whitelist of known names or use DuckDB's parameterized query features where available. Avoid direct string interpolation of user input into SQL commands.
MEDIUM1 finding
mcp_server.py:85
85 # テーブルの詳細情報を取得
86 columns_info = conn.execute(f"DESCRIBE {table_name}").fetchall()mcp_server.py:85
// Exploitable only if MCP is exposed to untrusted prompts (e.g., via LLM agent). Requires compromised LLM to exploit.
EXPLAINThe 'get_table_info' tool accepts a user-supplied table name. This name is directly interpolated into a DuckDB DESCRIBE command. If the table name contains special characters or is crafted to exploit DuckDB's parser, it could lead to SQL injection or unexpected behavior.
IMPACTAn attacker could potentially execute unintended SQL commands or cause the server to behave unexpectedly by providing a malicious table name.
FIXValidate the table name against a whitelist of known table names or use DuckDB's parameterized query features where available. Avoid direct string interpolation of user input into SQL commands.
◷ 5/28/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.