npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
## Summary The published npm package `praisonai` exports a TypeScript `MCPServer` that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with: ```ts await server.start({ port: 3000 }); ``` The HTTP transport has no authentication or authorization path. `MCPServerConfig` does not expose an auth/security setting, `startHttp()` ignores the `Authorization` header, and every POST request is parsed and forwarded directly to `handleRequest()`. That request handler dispatches sensitive MCP methods such as `tools/call`, `resources/read`, and `prompts/get`. The implementation also calls `this.httpServer.listen(port)` without a host argument. In Node.js this binds to the unspecified address; the local PoV observed `{ address: "::", family: "IPv6" }`, making the service reachable on all interfaces on systems where the port is exposed. This lets any network client that can reach the HTTP port list tools and invoke registered server-side tools without credentials. Supplying `Authorization: Bearer invalid` makes no difference. ## Technical Details `MCPServerConfig` exposes server metadata, tools/resources/prompts, stdio, port, and logging. It does not expose an auth token, authorization policy, `MCPSecurity` instance, authorization callback, or loopback-only option: ```text src/praisonai-ts/src/mcp/server.ts 57: export interface MCPServerConfig { 63: tools?: MCPServerTool[]; 65: resources?: MCPResource[]; 67: prompts?: MCPPrompt[]; 69: stdio?: boolean; 73: port?: number | null; 75: logging?: boolean; ``` `handleRequest()` dispatches sensitive MCP methods directly: ```text src/praisonai-ts/src/mcp/server.ts 203: async handleRequest(request: MCPRequest): Promise<MCPResponse> { 219: case 'tools/call': 220: result = await this.handleToolCall(params); 225: case 'resources/read': 226: result = await this.handleResourceRead(params); 231: case 'prompts/get': 232: result = await this.handlePromptGet(params); ``` The tool dispatcher invokes the registered handler: ```text src/praisonai-ts/src/mcp/server.ts 285: private async handleToolCall(params?: any): Promise<any> { 288: const tool = this.tools.get(name); 298: const result = await tool.handler(args ?? {}); ``` The HTTP server parses every POST body and forwards it to `handleRequest()` with no authentication check: ```text src/praisonai-ts/src/mcp/server.ts 403: async startHttp(port: number): Promise<void> { 409: this.httpServer = http.createServer(async (req, res) => { 416: const response = await this.handleRequest(request); 434: this.httpServer.listen(port, () => { ``` This is a guard-coverage gap because the same TypeScript package already ships a dedicated MCP security manager: ```text src/praisonai-ts/src/mcp/security.ts 2: * MCP Security - Authentication, authorization, and rate limiting 79: export class MCPSecurity { 132: async check(request: { path?: string; method?: string; headers?: ... }) 167: const auth = headers['authorization'] ?? headers['Authorization']; 239: case 'authenticate': 303: export function createApiKeyPolicy(...) ``` `MCPServer` never references that security manager in its HTTP request path. ### Why This Is Not Intended Behavior PraisonAI's MCP documentation says MCP servers allow AI models to use tools and communicate with external systems. The same page's security considerations say to use API keys in production, implement rate limiting, validate incoming requests, use HTTPS, and limit custom tool permissions. PraisonAI's security page also documents prior breaking hardening where API servers were changed to require authentication by default and bind to `127.0.0.1` instead of `0.0.0.0`. It separately lists MCP `tools/call` issues as security vulnerabilities. The npm TypeScript `MCPServer` does the opposite: - `start({ port })` binds to the unspecified address; - `MCPServerConfig` has no auth/security field; - `startHttp()` does not inspect `Authorization`; - `tools/list`, `tools/call`, `resources/read`, and `prompts/get` all dispatch without authentication; and - `MCPSecurity` exists but is not wired into the HTTP server. This is not merely a deployment hardening suggestion. The package exposes an HTTP MCP server API and a separate security manager, but the server's own HTTP transport provides no way to enforce the documented API-key requirement. ## PoV The PoV installs the published npm package in a temporary project, starts the exported `MCPServer` on a local ephemeral port, and sends loopback JSON-RPC requests. It does not call any LLM provider or external service after package installation. Run from a local reproduction checkout: ```fish node poc/pov_poc.js 1.7.1 ``` Observed result: ```json { "package": "praisonai", "version": "1.7.1", "mcpServerExported": true, "bindAddress": { "address": "::", "family": "IPv6" }, "initialize": { "status": 200 }, "list": { "status": 200, "json": { "result": { "tools": [ { "name": "admin_reset_marker", "description": "privileged marker tool" } ] } } }, "callNoAuth": { "status": 200, "json": { "result": { "content": [ { "text": "invoked:NO_AUTH_MARKER" } ] } } }, "callBadAuth": { "status": 200, "json": { "result": { "content": [ { "text": "invoked:BAD_AUTH_MARKER" } ] } } }, "calls": [ "NO_AUTH_MARKER", "BAD_AUTH_MARKER" ], "patchedControl": { "noAuthStatus": 401, "withAuthStatus": 200, "patchedCalls": [ "called" ] } } ``` Interpretation: - unauthenticated `initialize` returns `200`; - unauthenticated `tools/list` returns the registered tool; - unauthenticated `tools/call` invokes the registered tool; - invalid `Authorization: Bearer invalid` is ignored and also invokes the tool; - the server binds to the unspecified IPv6 address; and - a minimal local wrapper that enforces a bearer token blocks the same no-auth call with `401`, demonstrating that the PoV is exercising the missing authentication boundary. ## PoC The PoV section above contains the local reproduction command, input, and decisive output. ## Impact Any client that can reach the npm TypeScript `MCPServer` HTTP port can list and invoke all registered MCP tools without credentials. Real impact depends on which tools, resources, and prompts the application registers. MCP tools commonly wrap filesystem operations, API clients, database queries, agent actions, deployment operations, email/Slack actions, browser automation, and code execution. Because those handlers run with the server process privileges and server-side credentials, an unauthenticated caller can drive the same actions. `resources/read` and `prompts/get` are also unauthenticated and may disclose application data or prompt material registered by the server. ### Severity Suggested severity: Critical. Rationale: - `AV`: exploitation is a direct HTTP JSON-RPC request. - `AC`: no race, user gesture, or special state is required. - `PR`: no credentials are required; invalid credentials are ignored. - `UI`: no user interaction is required after the server is running. - `S`: impact is within the authority of the MCP server process and its registered tools. - `C`: resources, prompts, and tool-returned data may expose sensitive data. - `I`: unauthenticated callers can drive server-side tools. - `A`: unauthenticated callers can invoke destructive or resource-consuming tools if registered. ## Suggested Fix Recommended minimum fix: 1. Add `security`, `auth`, `authRequired`, `apiKeys`, or `authorize(req)` to `MCPServerConfig`. 2. Fail closed for HTTP transport when auth is not configured, unless the caller explicitly opts into unauthenticated loopback-only develop
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-18 14:26 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.