RSS

Official MCP servers ship known-vulnerable dependencies at install time

Bindfort1 pts0 comments

5 of 5: Every Official MCP Server We Audited Carries Known-Vulnerable Transitive Dependencies - Bindfort Research<br>All research<br>We scanned every reference MCP server in the official @modelcontextprotocol npm namespace using Bindfort's deep transitive CVE scanner. Five servers, five hits. Every single one resolves @modelcontextprotocol/sdk@1.0.1 as a transitive dependency - a version carrying two open HIGH-severity GHSAs, one enabling denial-of-service from a crafted tool response, one enabling silent browser-based tool invocation against a user's localhost.<br>Standard SCA tooling - the kind that most teams already have - returned zero findings on all five servers. Only a full recursive dependency tree walk surfaced the exposure. That gap is the problem.<br>Background<br>Model Context Protocol has become the default integration layer between AI agents and the tools they operate. Claude Desktop, Cursor, and a growing number of agentic frameworks all consume MCP servers - often the official reference implementations - to provide agents with access to filesystems, code, APIs, and data. The @modelcontextprotocol namespace on npm is where teams start.<br>Supply chain risk in agentic infrastructure is qualitatively different from the web-app case. When a vulnerability lets an attacker influence the tool responses an agent reads, it isn't just data exfiltration - it's prompt injection at the infrastructure layer. The surface is new; the tools defending it haven't caught up.<br>Methodology<br>Scan date2026-04-26ScannerBindfort serve-admin + tests/cve-scan-bootstrap harnessVulnerability sourceOSV.devMethodFull recursive npm ls --json --all walk - one DependencyInput per node in the transitive tree - matched against the OSV advisory database via PURL queryBaselineFrozen at tests/cve-scan-bootstrap/out-baseline-2026-04-26/Each server was scanned two ways to expose the gap between deep and shallow analysis:<br>Deep (npm tree): BinaryInspectFetcher runs npm ls and walks every transitive node recursively<br>Shallow (PURL): PURLFetcher queries the top-level package by name and version only - equivalent to what most SCA tools do by default<br>Findings<br>5 of 5 servers. 10 HIGH findings. 0 findings from shallow scan.<br>ServerDeep scanShallow scan@modelcontextprotocol/server-filesystem2 HIGH0@modelcontextprotocol/server-github npm-deprecated2 HIGH0@modelcontextprotocol/server-everything2 HIGH0@modelcontextprotocol/server-memory2 HIGH0@modelcontextprotocol/server-sequential-thinking2 HIGH0All ten findings collapse to two advisories on a single transitive package: @modelcontextprotocol/sdk@1.0.1 .<br>GHSA-8r9q-7v3j-jr4g - ReDoS in MCP TypeScript SDK<br>Severity: HIGH  /  Fixed in: @modelcontextprotocol/sdk@1.25.2  /  Version lag: 25 minor releases<br>The SDK's message parser contains a regex with catastrophic backtracking behaviour. An attacker who controls an upstream MCP server - or who can inject content into a tool's response - can send a carefully crafted string that pins the Node.js event loop indefinitely. Any agent process running through this SDK version becomes unresponsive.<br>This is exploitable from the tool-response side: the attack arrives through the output of a tool call, not through an inbound request, which means perimeter controls that only inspect inbound traffic miss it entirely.<br>The fix has existed since sdk@1.25.2. The servers installed today still resolve 1.0.1.<br>GHSA-w48q-cv73-mx4w - DNS Rebinding Protection Not Enabled by Default<br>Severity: HIGH  /  Fixed in: @modelcontextprotocol/sdk@1.24.0  /  Version lag: 24 minor releases<br>Without Host header validation on the SDK's HTTP listener, the DNS rebinding attack is trivially executable. An attacker serves a webpage, the user's browser resolves the domain, the browser's DNS TTL expires, the attacker rebinds their domain to 127.0.0.1. From that point the attacker's JavaScript can open a connection to the MCP server running on localhost - same-origin policy no longer applies because the domain and the target are now the same host in the browser's view. The attacker can enumerate every tool the server exposes, call them, and read the results, with the full privileges of whatever process is running the server.<br>Critically: this requires no malware installation, no elevated privileges, no user interaction beyond visiting a webpage. The attack is browser-native.<br>The fix has existed since sdk@1.24.0. The servers installed today still resolve 1.0.1.<br>Why Your Scanner Probably Missed This<br>The top-level @modelcontextprotocol/server-* packages have no GHSA entries of their own. A scanner that queries each package by name and version - which is what PURL-based SCA, Dependabot, and most CI advisory checks do - returns a clean bill of health. This is not a failure of the advisory database; the advisories are accurate and up to date on OSV. It is a failure of scan depth.<br>You have to walk the full npm ls tree recursively to reach sdk@1.0.1. The servers declare @modelcontextprotocol/sdk as a direct dependency, but npm...

server modelcontextprotocol servers tool transitive version

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.