zantiu/mcp-server-supos
criticalmcp server sopos open-api
MCP server (purpose undetermined)
21if (process.argv.length >= 5) {
22 const args = process.argv.slice(-3);
23 if (args.length !== 0) {
24 SUPOS_API_URL = args?.[0];
25 SUPOS_API_KEY = args?.[1];
26 SUPOS_MQTT_URL = args?.[2];
27 }
28}// Exploitable by any local user with access to process listings or shell history.
The SUPOS_API_KEY is accepted as a command line argument, which can be visible in process listings (e.g., ps aux) and shell history, exposing the credential to other users on the system.
ImpactAn attacker with local access could obtain the API key from process listings or shell history, gaining unauthorized access to the SupOS API.
FixUse environment variables exclusively for sensitive credentials. Remove command line argument parsing for API key.
156function getTopicRealtimeData(subscribeTopic: string) {
157 return new Promise((resolve) => {
158 ...
159 client.on("connect", function () {
160 client.subscribe(`${subscribeTopic}`, function (err) {
161 if (err) {
162 resolve(`订阅${subscribeTopic}失败`);
163 }
164 });
165 });
166 ...
167 });
168}// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The 'get-topic-realtime-data' tool accepts a 'topic' string from the LLM and passes it directly to MQTT client.subscribe() without any validation or sanitization. This allows subscribing to any MQTT topic, including wildcards like '#' or '+', which could expose all MQTT messages.
ImpactAn attacker (via compromised LLM) could subscribe to all MQTT topics (e.g., '#') and exfiltrate sensitive data from the MQTT broker, or subscribe to control topics to manipulate devices.
FixRestrict allowed topics to a predefined list or pattern. Validate the topic string against a whitelist of allowed topics. Avoid passing user input directly to subscribe.
108client.on("connect", function () {
109 client.subscribe("#", function (err) {
110 // console.log("err", err);
111 });
112});// Local-only MCP, requires compromised LLM or local access to exploit.
The getAllTopicRealtimeData function subscribes to all MQTT topics using the wildcard '#'. This is an intentional design choice to cache all real-time data, but it represents an excessive capability that could be abused if the MQTT broker contains sensitive topics.
ImpactAll MQTT messages are collected and written to a local file, which could include sensitive data. If an attacker gains access to the file or the MCP server, they could read all MQTT traffic.
FixRestrict subscription to only necessary topics. If wildcard is required, ensure the MQTT broker is properly secured and the cached file is protected.
43async function getModelTopicDetail(topic: string): Promise<any> {
44 const url = `${SUPOS_API_URL}/open-api/supos/uns/model?topic=${encodeURIComponent(
45 topic
46 )}`;
47 const response = await fetch(url, {
48 headers: {
49 apiKey: `${SUPOS_API_KEY}`,
50 },
51 });// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised.
The 'get-model-topic-detail' tool accepts a 'topic' string from the LLM and uses it to construct an API URL. While the topic is URL-encoded, there is no validation that the topic is a legitimate model topic. An attacker could potentially inject special characters or manipulate the API call.
ImpactAn attacker could query arbitrary topics on the SupOS API, potentially accessing data they should not have access to, or cause the API to return unexpected results.
FixValidate the topic against a whitelist of allowed topics or enforce a strict pattern (e.g., alphanumeric with dots).