Summary
The experimental-mcp SSE server starts with no authentication and accepts
arbitrary filesystem paths from any caller via the scan_vulnerable_dependencies
tool. The fileOpenedLogger returns absolute paths of every file scalibr opens
back to the MCP client verbatim.
Affected code
cmd/osv-scanner/mcp/command.go:121 — DirectoryPaths: input.Paths
(no path validation or allowlist)cmd/osv-scanner/mcp/stats.go:29 — filepath.Join(Root, Path)
returned to caller in tool responsecmd/osv-scanner/mcp/command.go:91 — SSE server starts with no
auth middleware
Suggested fixes
- Add token authentication to the SSE server
- Restrict
input.Paths to a declared workspace root using filepath.Rel
- Exclude
fileOpenedLogger output from the MCP tool response —
it was likely intended for local debug output only
Notes
Reported to Google VRP — closed as below severity threshold with
permission to disclose publicly.
Summary
The
experimental-mcpSSE server starts with no authentication and acceptsarbitrary filesystem paths from any caller via the
scan_vulnerable_dependenciestool. The
fileOpenedLoggerreturns absolute paths of every file scalibr opensback to the MCP client verbatim.
Affected code
cmd/osv-scanner/mcp/command.go:121—DirectoryPaths: input.Paths(no path validation or allowlist)
cmd/osv-scanner/mcp/stats.go:29—filepath.Join(Root, Path)returned to caller in tool response
cmd/osv-scanner/mcp/command.go:91— SSE server starts with noauth middleware
Suggested fixes
input.Pathsto a declared workspace root usingfilepath.RelfileOpenedLoggeroutput from the MCP tool response —it was likely intended for local debug output only
Notes
Reported to Google VRP — closed as below severity threshold with
permission to disclose publicly.