gemini-vision-mcp

Artin0123/gemini-image-mcp-server

12 files · 1 findings

1 high

Tool Poisoningclean

Command Injectionclean

Path Traversalclean

SSRF1 issue

Credential Theftclean

Excessive Permissionsclean

Missing Authclean

Supply Chain

SSRF1

high

Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.

src/gemini-media.ts:145

const response = await fetch(source.data);

How to fix

Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.