{"id":11552412,"name":"@executeautomation/database-server","ecosystem":"npm","description":"MCP server for interacting with SQLite and SQL Server databases by ExecuteAutomation","homepage":"https://github.com/executeautomation/mcp-database-server","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/executeautomation/mcp-database-server","keywords_array":[],"namespace":"executeautomation","versions_count":4,"first_release_published_at":"2025-04-14T03:54:02.457Z","latest_release_published_at":"2025-05-30T20:38:56.403Z","latest_release_number":"1.1.0","last_synced_at":"2026-04-18T05:11:43.870Z","created_at":"2025-04-17T08:28:35.625Z","updated_at":"2026-04-18T23:11:06.911Z","registry_url":"https://www.npmjs.com/package/@executeautomation/database-server","install_command":"npm install @executeautomation/database-server","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"1.1.0"}},"repo_metadata":{"id":287633600,"uuid":"965337009","full_name":"executeautomation/mcp-database-server","owner":"executeautomation","description":"MCP Database Server is a new MCP Server which helps connect with Sqlite, SqlServer and Posgresql Databases","archived":false,"fork":false,"pushed_at":"2025-08-27T01:22:21.000Z","size":10266,"stargazers_count":336,"open_issues_count":20,"forks_count":90,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-04-13T01:22:02.890Z","etag":null,"topics":["mcp-server","posgresql","sqlite","sqlserver"],"latest_commit_sha":null,"homepage":"https://executeautomation.github.io/mcp-database-server/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/executeautomation.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-12T23:47:53.000Z","updated_at":"2026-04-07T11:07:22.000Z","dependencies_parsed_at":"2025-04-13T00:25:11.393Z","dependency_job_id":"589d876f-e27f-49ea-96ff-c51b1f554c6f","html_url":"https://github.com/executeautomation/mcp-database-server","commit_stats":null,"previous_names":["executeautomation/mcp-database-server"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/executeautomation/mcp-database-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/executeautomation%2Fmcp-database-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/executeautomation%2Fmcp-database-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/executeautomation%2Fmcp-database-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/executeautomation%2Fmcp-database-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/executeautomation","download_url":"https://codeload.github.com/executeautomation/mcp-database-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/executeautomation%2Fmcp-database-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31778589,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T00:11:49.126Z","status":"online","status_checked_at":"2026-04-14T02:00:06.344Z","response_time":153,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"executeautomation","name":"ExecuteAutomation","uuid":"10337030","kind":"user","description":"ExecuteAutomation helps people to understand software, automation, IoT, cloud, testing and more..","email":"","website":"https://www.executeautomation.com","location":"Auckland, NZ","twitter":"executeauto","company":"ExecuteAutomation","icon_url":"https://avatars.githubusercontent.com/u/10337030?u=6740875d1824b23341727b361678a6dee9452c8a\u0026v=4","repositories_count":81,"last_synced_at":"2023-08-03T05:11:52.563Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/executeautomation","funding_links":[],"total_stars":null,"followers":null,"following":null,"created_at":"2022-11-05T23:33:13.408Z","updated_at":"2023-08-03T05:11:52.979Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/executeautomation","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/executeautomation/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-04-18T05:13:19.932Z","dependent_packages_count":0,"downloads":3089,"downloads_period":"last-month","dependent_repos_count":0,"rankings":{"downloads":9.078077151662075,"dependent_repos_count":24.841871803667903,"dependent_packages_count":35.86064386942137,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":23.26019760825045},"purl":"pkg:npm/%40executeautomation/database-server","advisories":[{"uuid":"GSA_kwCzR0hTQS02NWhtLXB3ajUtNzNwd84ABMPv","url":"https://github.com/advisories/GHSA-65hm-pwj5-73pw","title":"@executeautomation/database-server does not properly restrict access, bypassing a \"read-only\" mode","description":"The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database servers such as PostgreSQL database. However, the `mcp-database-server` MCP Server distributed via the npm package `@executeautomation/database-server` fails to implement proper security control that properly enforce a \"read-only\" mode and as such it is vulnerable to abuse and attacks on the affected database servers such as PostgreSQL (and potentially other db servers that expose elevated functionalities) and which may result in denial of service and other unexpected behavior.\n\nThis MCP Server is also publicly published in the npm registry: https://www.npmjs.com/package/@executeautomation/database-server\n\n## Vulnerable code\n\nThe vulnerable code to SQL injection takes shape in several ways:\n- `startsWith(\"SELECT\")` can include multiple queries because the pg driver for the `client.query()` supports multi queries if terminated with a `;`\n- `startsWith(\"SELECT\")` can include denial of service queries for stored procedures and other internal db functions\n\nThe tool call [here in index.ts](https://github.com/executeautomation/mcp-database-server/blob/d6afa4be08eb05343195635fa9462746a6be3a59/index.ts#L272C1-L291C6) is vulnerable:\n\n```\n// Handle tool calls\nserver.setRequestHandler(CallToolRequestSchema, async (request) =\u003e {\n  switch (request.params.name) {\n    case \"read_query\": {\n      const query = request.params.arguments?.query as string;\n      \n      if (!query.trim().toLowerCase().startsWith(\"select\")) {\n        throw new Error(\"Only SELECT queries are allowed with read_query\");\n      }\n\n      try {\n        const result = await dbAll(query);\n        return {\n          content: [{ type: \"text\", text: JSON.stringify(result, null, 2) }],\n          isError: false,\n        };\n      } catch (error: any) {\n        throw new Error(`SQL Error: ${error.message}`);\n      }\n    }\n```\n\nThe MCP Server exposes the tool `read_query` with a naive attempt to guard for exclusive \"read-only\" mode that allows only data retrieval from the server by performing a check on the provided query string to ensure that it starts with a \"SELECT\" query.\n\nIn short, the code check `startWith(\"select\")` is not an adequate security control to strict for read-only mode queries and can be abused for side-effects and database-level operations.\n\n## Exploitation\n\nWhile allowing only `SELECT` type queries might seem like a good defense to allow only data retrieval and not data manipulation in any way (hence, \"read-only\" mode), it is a non-suficient way of protecting against database servers that expose extra functionality through internal function calls.\n\nSeveral examples that will allow side effects through `SELECT` queries:\n1. Stored procedures: `SELECT some_function_that_updates_data();`\n2. Internal database administrative operations: `SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE ...;`\n\nEven when the database is known not to have any stored procedures defined, an attacker can still cause significant availability and service disruption by executing `pg_terminate_backend()`.\n\nFollowing is a reproduction:\n\n- Simulate a long-running query, for example: `query = \"SELECT pg_sleep(5 * 60)\"`\n- Now, from the MCP programmatic interface, execute the following query `SELECT pid, usename, state, query FROM  pg_stat_activity;` to get the PID for the long running query\n- Next, use the same MCP interface to then request to run the following query: `SELECT pg_terminate_backend(PID);` and observe the long running query is now terminated\n\nSimilar database side-effects may be found in MySQL or SQLite.\n\n## Impact\n\nThe above exploitation surfaces two significant security risks: a denial of service that affects availability and confidentiality dislcosure that allows users unauthorized access to queries running on the server and potential leak of data.\n\n## Recommendation\n\n- Don't rely solely on the \"starts with\" `SELECT`\n- Strict access to specific tables that the user is only authorized to query for\n- Do not allow multiple SQL queries to be chained together like `SELECT * ...; INSERT INTO ...`\n- Require users that adopt this MCP Server to use fine-grained permissions on the database server with strict and explicit access to specific capabilities on the server.\n\n## CVE Details\n\nRecommended CWE: CWE-284: Improper Access Control\nRecommendec CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\n## References and Prior work\n\n1. GitHub Kanban MCP Server found [vulnerable to command injection](https://github.com/advisories/GHSA-6jx8-rcjx-vmwf).\n2. iOS Simulator MCP Server found [vulnerable to command injection](https://github.com/advisories/GHSA-6f6r-m9pv-67jw).\n3. Liran's [Node.js Secure Coding](https://www.nodejs-security.com/book/command-injection) for educational materials on injection attacks and secure coding practices.\n4. [How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection](https://www.nodejs-security.com/blog/how-to-bypass-access-control-in-postgresql-in-simple-psql-mcp-server-for-sql-injection)\n5. Reference example from prior security research on this topic, demonstrating how vulnerable MCP Server connected to Cursor is abused with prompt injection to bypass the developer's intended logic:\n\n![Cursor defined MCP Server vulnerable to command injection](https://res.cloudinary.com/snyk/image/upload/f_auto,w_2560,q_auto/v1747081395/Screenshot_2025-05-07_at_9.22.11_AM_d76kvm.png)\n\n## Credit\n\nDisclosed by [Liran Tal](https://lirantal.com)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-09-16T19:31:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","references":["https://github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pw","https://nvd.nist.gov/vuln/detail/CVE-2025-59333","https://github.com/advisories/GHSA-65hm-pwj5-73pw"],"source_kind":"github","identifiers":["GHSA-65hm-pwj5-73pw","CVE-2025-59333"],"repository_url":"https://github.com/executeautomation/mcp-database-server","blast_radius":1.0,"created_at":"2025-09-16T20:10:49.818Z","updated_at":"2026-04-18T23:02:06.632Z","epss_percentage":0.00128,"epss_percentile":0.32194,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NWhtLXB3ajUtNzNwd84ABMPv","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02NWhtLXB3ajUtNzNwd84ABMPv","packages":[{"ecosystem":"npm","package_name":"@executeautomation/database-server","versions":[{"first_patched_version":null,"vulnerable_version_range":"\u003c= 1.1.0"}],"purl":"pkg:npm/%40executeautomation%2Fdatabase-server"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NWhtLXB3ajUtNzNwd84ABMPv/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@executeautomation/database-server","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/npm/@executeautomation/database-server","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@executeautomation/database-server/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-03-29T11:01:45.824Z","issues_count":6,"pull_requests_count":20,"avg_time_to_close_issue":null,"avg_time_to_close_pull_request":234401.53846153847,"issues_closed_count":0,"pull_requests_closed_count":13,"pull_request_authors_count":9,"issue_authors_count":6,"avg_comments_per_issue":0.0,"avg_comments_per_pull_request":0.35,"merged_pull_requests_count":13,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":6,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":234401.53846153847,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":13,"past_year_pull_request_authors_count":9,"past_year_issue_authors_count":6,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.35,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":13,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/executeautomation%2Fmcp-database-server/issues","maintainers":[{"login":"executeautomation","count":8,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/executeautomation"}],"active_maintainers":[{"login":"executeautomation","count":8,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/executeautomation"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@executeautomation%2Fdatabase-server/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@executeautomation%2Fdatabase-server/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@executeautomation%2Fdatabase-server/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@executeautomation%2Fdatabase-server/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@executeautomation%2Fdatabase-server/codemeta","maintainers":[{"uuid":"executeautomation","login":"executeautomation","name":null,"email":"karthik@techgeek.co.in","url":null,"packages_count":3,"html_url":"https://www.npmjs.com/~executeautomation","role":null,"created_at":"2025-04-17T08:28:47.316Z","updated_at":"2025-04-17T08:28:47.316Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/executeautomation/packages"}]}