| tiêu đề | TimBroddin astro-mcp-server 1.1.1 SQL Injection |
|---|
| Mô tả | An SQL injection vulnerability (CWE-89) has been identified in astro-mcp-server version 1.1.1, specifically within src/index.ts. Multiple MCP tools, including search_rankings, accept user‑controlled parameters such as keyword, store, appName, and appId, and interpolate them directly into SQLite query strings executed by db.exec(). An attacker with network access to the MCP interface can manipulate the SQL queries to bypass filters, extract arbitrary data from the local Astro ASO database, and potentially alter query semantics. No fixed version is available at the time of reporting. |
|---|
| Nguồn | ⚠️ https://github.com/TimBroddin/astro-mcp-server/issues/2 |
|---|
| Người dùng | _Eternity_ (UID 97332) |
|---|
| Đệ trình | 14/04/2026 16:38 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 01/05/2026 11:37 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 360544 [TimBroddin astro-mcp-server đến 1.1.1 MCP Tool Query Construction src/index.ts request.params.arguments Tiêm SQL] |
|---|
| điểm | 20 |
|---|