VulnWatch VulnWatch
← Back to dashboard
Critical github · GHSA-j4f3-55x4-r6q2

npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call

Published Jun 18, 2026 CVSS 9.8

Summary

The published npm package praisonai exports a TypeScript MCPServer that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with:

await server.start({ port: 3000 });

The HTTP transport has no authentication or authorization path. MCPServerConfig does not expose an auth/security setting, startHttp() ignores the Authorization header, and every POST request is parsed and forwarded directly to handleRequest(). That request handler dispatches sensitive MCP methods such as tools/call, resources/read, and prompts/get.

The implementation also calls this.httpServer.listen(port) without a host argument. In Node.js this binds to the unspecified address; the local PoV observed { address: "::", family: "IPv6" }, making the service reachable on all interfaces on systems where the port is exposed.

This lets any network client that can reach the HTTP port list tools and invoke registered server-side tools without credentials. Supplying Authorization: Bearer invalid makes no difference.

Technical Details

MCPServerConfig exposes server metadata, tools/resources/prompts, stdio, port, and logging. It does not expose an auth token, authorization policy, MCPSecurity instance, authorization callback, or loopback-only option:

src/praisonai-ts/src/mcp/server.ts
  57: export interface MCPServerConfig {
  63:     tools?: MCPServerTool[];
  65:     resources?: MCPResource[];
  67:     prompts?: MCPPrompt[];
  69:     stdio?: boolean;
  73:     port?: number | null;
  75:     logging?: boolean;

handleRequest() dispatches sensitive MCP methods directly:

src/praisonai-ts/src/mcp/server.ts
  203: async handleRequest(request: MCPRequest): Promise {
  219:     case 'tools/call':
  220:       result = await this.handleToolCall(params);
  225:     case 'resources/read':
  226:       result = await this.handleResourceRead(params);
  231:     case 'prompts/get':
  232:       result = await this.handlePromptGet(params);

The tool dispatcher invokes the registered handler:

src/praisonai-ts/src/mcp/server.ts
  285: private async handleToolCall(params?: any): Promise {
  288:   const tool = this.tools.get(name);
  298:   const result = await tool.handler(args ?? {});

The HTTP server parses every POST body and forwards it to handleRequest() with no authentication check:

src/praisonai-ts/src/mcp/server.ts
  403: async startHttp(port: number): Promise {
  409:   this.httpServer = http.createServer(async (req, res) => {
  416:     const response = await this.handleRequest(request);
  434:   this.httpServer.listen(port, () => {

This is a guard-coverage gap because the same TypeScript package already ships a dedicated MCP security manager:

src/praisonai-ts/src/mcp/security.ts
  2:  * MCP Security - Authentication, authorization, and rate limiting
  79: export class MCPSecurity {
  132: async check(request: { path?: string; method?: string; headers?: ... })
  167: const auth = headers['authorization'] ?? headers['Authorization'];
  239: case 'authenticate':
  303: export function createApiKeyPolicy(...)

MCPServer never references that security manager in its HTTP request path.

Why This Is Not Intended Behavior

PraisonAI's MCP documentation says MCP servers allow AI models to use tools and communicate with external systems. The same page's security considerations say to use API keys in production, implement rate limiting, validate incoming requests, use HTTPS, and limit custom tool permissions.

PraisonAI's security page also documents prior breaking hardening where API servers were changed to require authentication by default and bind to 127.0.0.1 instead of 0.0.0.0. It separately lists MCP tools/call issues as security vulnerabilities.

The npm TypeScript MCPServer does the opposite:

  • start({ port }) binds to the unspecified address;
  • MCPServerConfig has no auth/security field;
  • startHttp() does not inspect Authorization;
  • tools/list, tools/call, resources/read, and prompts/get all dispatch without authentication; and
  • MCPSecurity exists but is not wired into the HTTP server.

This is not merely a deployment hardening suggestion. The package exposes an HTTP MCP server API and a separate security manager, but the server's own HTTP transport provides no way to enforce the documented API-key requirement.

PoV

The PoV installs the published npm package in a temporary project, starts the exported MCPServer on a local ephemeral port, and sends loopback JSON-RPC requests. It does not call any LLM provider or external service after package installation.

Run from a local reproduction checkout:

node poc/pov_poc.js 1.7.1

Observed result:

{
  "package": "praisonai",
  "version": "1.7.1",
  "mcpServerExported": true,
  "bindAddress": {
    "address": "::",
    "family": "IPv6"
  },
  "initialize": {
    "status": 200
  },
  "list": {
    "status": 200,
    "json": {
      "result": {
        "tools": [
          {
            "name": "admin_reset_marker",
            "description": "privileged marker tool"
          }
        ]
      }
    }
  },
  "callNoAuth": {
    "status": 200,
    "json": {
      "result": {
        "content": [
          {
            "text": "invoked:NO_AUTH_MARKER"
          }
        ]
      }
    }
  },
  "callBadAuth": {
    "status": 200,
    "json": {
      "result": {
        "content": [
          {
            "text": "invoked:BAD_AUTH_MARKER"
          }
        ]
      }
    }
  },
  "calls": [
    "NO_AUTH_MARKER",
    "BAD_AUTH_MARKER"
  ],
  "patchedControl": {
    "noAuthStatus": 401,
    "withAuthStatus": 200,
    "patchedCalls": [
      "called"
    ]
  }
}

Interpretation:

  • unauthenticated initialize returns 200;
  • unauthenticated tools/list returns the registered tool;
  • unauthenticated tools/call invokes the registered tool;
  • invalid Authorization: Bearer invalid is ignored and also invokes the tool;
  • the server binds to the unspecified IPv6 address; and
  • a minimal local wrapper that enforces a bearer token blocks the same no-auth call with 401, demonstrating that the PoV is exercising the missing authentication boundary.

PoC

The PoV section above contains the local reproduction command, input, and decisive output.

Impact

Any client that can reach the npm TypeScript MCPServer HTTP port can list and invoke all registered MCP tools without credentials.

Real impact depends on which tools, resources, and prompts the application registers. MCP tools commonly wrap filesystem operations, API clients, database queries, agent actions, deployment operations, email/Slack actions, browser automation, and code execution. Because those handlers run with the server process privileges and server-side credentials, an unauthenticated caller can drive the same actions.

resources/read and prompts/get are also unauthenticated and may disclose application data or prompt material registered by the server.

Severity

Suggested severity: Critical.

Rationale:

  • AV: exploitation is a direct HTTP JSON-RPC request.
  • AC: no race, user gesture, or special state is required.
  • PR: no credentials are required; invalid credentials are ignored.
  • UI: no user interaction is required after the server is running.
  • S: impact is within the authority of the MCP server process and its registered tools.
  • C: resources, prompts, and tool-returned data may expose sensitive data.
  • I: unauthenticated callers can drive server-side tools.
  • A: unauthenticated callers can invoke destructive or resource-consuming tools if registered.

Suggested Fix

Recommended minimum fix:

  1. Add security, auth, authRequired, apiKeys, or authorize(req) to MCPServerConfig.
  2. Fail closed for HTTP transport when auth is not configured, unless the caller explicitly opts into unauthenticated loopback-only development mode.
  3. Bind HTTP transport to 127.0.0.1 by default, or require an explicit host when binding to all interfaces.
  4. Call MCPSecurity.check(...) or equivalent middleware before every non-health POST request reaches handleRequest().
  5. Return 401 for missing or invalid credentials before dispatching initialize, tools/list, tools/call, resources/read, or prompts/get.
  6. Add Origin/Host protections for loopback HTTP transports to reduce DNS rebinding exposure.
  7. Add regression tests proving:
    • no-auth tools/list returns 401;
    • no-auth tools/call returns 401 and does not invoke the handler;
    • invalid bearer token returns 401;
    • valid bearer token invokes the handler;
    • default start({ port }) does not bind to all interfaces without an explicit opt-in.

Affected Package/Versions

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: npm
  • Package: praisonai
  • Component: src/praisonai-ts/src/mcp/server.ts
  • Related unused security component: src/praisonai-ts/src/mcp/security.ts
  • Current npm version checked: 1.7.1
  • Refreshed origin/main checked: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e

Confirmed affected range:

>= 1.5.0,
Remote Code Execution Agentic / MCP

Affected AI Products

mcp server ai model llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.