Security Audit: Unconstrained string parameters across all official servers #3537
Description
Summary
I ran automated security audits on 7 official MCP servers using mcp-security-audit. All servers scored Grade A or B (85-100/100), which is great. But there's one consistent finding across every server except mcp-server-fetch:
No string parameters use maxLength, pattern, or enum constraints.
Findings
| Server | Score | Unconstrained Strings |
|---|---|---|
| Fetch | 100/100 | 0 |
| SQLite | 95/100 | 5 (SQL queries, table names) |
| Time | 95/100 | 4 (timezone identifiers) |
| GitHub | 94/100 | Multiple |
| Memory | 92/100 | 1 (search query) |
| Git | 90/100 | 18 (paths, messages, branches) |
| Filesystem | 85/100 | Multiple (paths) |
Why this matters
- DoS vector — Unconstrained strings accept arbitrarily long input. A 10MB commit message or 50K-char file path must be processed by the server.
- No boundary validation — If an LLM is compromised via prompt injection, the tool schema provides no defense against malformed input.
- Network transports — With MCP supporting Streamable HTTP, servers may be network-exposed where these constraints become critical.
Suggested fix
One line per parameter:
{
"name": "path",
"type": "string",
"maxLength": 4096
}For known-format params:
{
"name": "timezone",
"type": "string",
"pattern": "^[A-Za-z_/]+$",
"maxLength": 50
}Full reports
Individual JSON/text reports for each server: LuciferForge/mcp-audit-reports
The audit tool: pip install mcp-security-audit
Happy to discuss findings or help with fixes.