Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const oauthRedirectUrl = `http://127.0.0.1:${oauthConfig.port}${oauthConfig.path}`Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
import { OAuthCallbackServer } from './oauth/callback.js'Validate OAuth scopes on every endpoint. Check that the token has required permissions.
Detected console.log() usage in non-test source code. Console.log is not appropriate for production logging as it lacks log levels, structured output, and proper log management.
console.log(JSON.stringify(result, null, 2))
Replace console.log with a structured logging library (e.g., winston, pino) that supports log levels and proper log management.
An HTTP server is created without configuring Strict-Transport-Security (HSTS) headers. Without HSTS, browsers may allow downgrade attacks from HTTPS to HTTP.
server = this.app.listen(port, (err) => {Add Strict-Transport-Security headers to your server responses. Use a middleware such as helmet to set HSTS automatically.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
import { McpOAuthClientProvider } from './oauth/provider.js'Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
const oauthConfig = { port: await getPort({ port: 49153 }), path: '/oauth/callback' }Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
return config.get(`oauth.${this.serverId}.clientInformation`)Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
await config.set(`oauth.${this.serverId}.clientInformation`, clientInformation)Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
return config.get(`oauth.${this.serverId}.tokens`)Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
await config.set(`oauth.${this.serverId}.tokens`, tokens)Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
return config.get(`oauth.${this.serverId}.codeVerifier`)Validate OAuth scopes on every endpoint. Check that the token has required permissions.
OAuth-protected endpoints that don't validate scopes may allow unauthorized actions.
await config.set(`oauth.${this.serverId}.codeVerifier`, codeVerifier)Validate OAuth scopes on every endpoint. Check that the token has required permissions.