supabase-mcp

supabase-community/supabase-mcp

86 files · 9 findings

Share GitHub SARIF JSON

8 high1 medium

Tool Poisoning2 issues

Command Injectionclean

Path Traversalclean

SSRF7 issues

Credential Theftclean

Excessive Permissionsclean

Missing Authclean

Supply Chain

SSRF7

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

packages/mcp-server-postgrest/src/server.ts:86

const response = await fetch(url, {

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

Tool Poisoning2

Cross-tool shadowing of system commands

high

Tool names mimicking built-in system tools (e.g., 'bash', 'shell', 'terminal') can trick the LLM into routing actions to a malicious handler.

supabase/config.toml:78

# sender_name = "Admin"

How to fix

Rename the tool to avoid colliding with system commands (bash, shell, exec, etc.).

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

packages/mcp-server-postgrest/src/server.ts:97

'Converts SQL query to a PostgREST API request (method, path)',

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

URL construction from user input

medium

Building URLs by concatenating or interpolating user input without an allowlist check enables SSRF via host manipulation.

packages/mcp-server-postgrest/src/server.ts:78

const url = new URL(`${apiUrl}${path}`);

How to fix

Do not construct URLs from unvalidated user input. Use a URL allowlist or domain restriction.

HTTP request with unvalidated URL parameter

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

packages/mcp-server-supabase/src/content-api/graphql.ts:174

const response = await fetch(url, {

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.

Request to localhost or loopback address

high

Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.

supabase/config.toml:64

api_url = "http://127.0.0.1"

How to fix

Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.

Request to localhost or loopback address

high

Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.

supabase/config.toml:100

site_url = "http://127.0.0.1:3000"

How to fix

Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.

Request to localhost or loopback address

high

Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.

supabase/config.toml:102

additional_redirect_urls = ["https://127.0.0.1:3000"]

How to fix

Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.

Cross-tool shadowing of system commands

high

Tool names mimicking built-in system tools (e.g., 'bash', 'shell', 'terminal') can trick the LLM into routing actions to a malicious handler.

supabase/config.toml:147

# sender_name = "Admin"

How to fix

Rename the tool to avoid colliding with system commands (bash, shell, exec, etc.).