setyolegowo/mcp-server-graphql

high

No description

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed

TypeScript★ 0◷ May 20, 2026⚙ May 20, 2026GITHUB

aigraphqlllmmcp-server

◆Vulnerability Analysis[ 3 findings in 3 blocks ]

◷ 5/20/2026

high1 finding

src/tools/query.ts

35query: z.string(),

src/index.ts:5→src/tools/query.ts:35

// Exploitable by any user sending prompts to the MCP server. For network_exposed, severity is high.

The 'query' parameter is accepted as a raw string with no validation or sanitization. This allows an attacker to send arbitrary GraphQL queries, including mutations if allowed, potentially accessing or modifying data beyond the intended scope.

ImpactAn attacker could execute arbitrary GraphQL queries or mutations against the configured endpoint, potentially reading or modifying sensitive data.

FixImplement a whitelist of allowed queries or use a query allowlist. Alternatively, restrict the tool to only introspection if mutations are not intended.

high1 finding

src/config.ts

8endpoint: z.string().url().min(1, "endpoint is required"),

src/index.ts:3→src/config.ts:8

// Exploitable only if attacker can control the endpoint configuration (e.g., via environment variable injection or command line). For network_exposed, severity is high.

The endpoint is provided at server startup via command line or environment variable. While it is validated as a URL, the server will make HTTP requests to that endpoint. If an attacker can control the endpoint (e.g., via environment variable injection or command line manipulation), they could make the server send requests to internal services (SSRF).

ImpactAn attacker could use the MCP server to probe internal networks, access cloud metadata endpoints, or interact with other internal services.

FixRestrict the endpoint to a whitelist of allowed URLs, or validate that the endpoint is not a private IP range. Alternatively, document that the endpoint must be trusted.

medium1 finding

src/config.ts

7allowMutations: z.boolean().default(false),

src/index.ts:3→src/config.ts:7

// Only exploitable if the server is configured with mutations enabled. For network_exposed, severity is medium.

The configuration allows enabling mutations via the 'enable-mutations' flag. When enabled, the 'query-graphql' tool can execute any mutation, which may be beyond the intended purpose of the server (e.g., if it was meant only for introspection).

ImpactIf mutations are enabled, an attacker could modify data in the GraphQL backend, potentially causing data loss or corruption.

FixRemove the mutation capability or restrict it to a specific set of allowed mutations. Document that enabling mutations expands the attack surface.

◆Heuristic Signals

shell.execnetwork.httpenv.exposure

◆Risk Score

LLM-based

high findings+50

medium findings+15