Use with caution. Address findings before production.
Scanned 5/1/2026, 6:33:21 AMยทCached resultยทDeep Scanยท88 rulesยทHow we decide โ
AIVSS Score
Medium
Severity Breakdown
0
critical
9
high
134
medium
58
low
MCP Server Information
Findings
No known CVEs found for this package or its dependencies.
REC in MCPJam inspector due to HTTP Endpoint exposes
Scan Details
Done
Sign in to save scan history and re-scan automatically on new commits.
Building your own MCP server?
Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasnโt shipped yet.
29 of 29 findings
29 findings
A variable named like a secret (secret/token/apikey/password/ credential/private_key/bearer) is emitted to a logger, stdout, HTTP response, MCP tool response, or file write without redaction. If the value is genuinely not sensitive, rename it; otherwise wrap with a redaction helper.
Evidence
| 434 | authHeader = `Bearer ${token}`; |
| 435 | } |
| 436 | } catch (tokenError) { |
| 437 | console.warn( |
| 438 | "[useChat] failed to retrieve access token", |
| 439 | tokenError, |
| 440 | ); |
| 441 | } |
| 442 | } |
Remediation
Do not return raw secret material from MCP tools or emit it to logs. Redact via a helper (`mask`, `redact`, `sanitize`), hash via `hashlib` / `crypto.createHash`, or expose only the length / a short prefix. For Secrets Manager and KMS responses, avoid returning `SecretString` / `Plaintext` from tool handlers โ return an opaque reference or a derived value instead.
File registers an MCP resource handler (`@mcp.resource`, `server.registerResource`, or a `"resources/read"` JSON-RPC handler) AND opens a file with no path-canonicalisation guard. The URI parameter from the client flows directly into a filesystem sink, letting a malicious request escape the intended root via `..` / absolute paths / symlinks. Canonicalise via `os.path.realpath` + `os.path.commonpath` / `path.resolve` + prefix check, OR use `secure_filename` / `pathlib.Path.relative_to(allowed_ro
Evidence
| 1 | import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 2 | import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js"; |
| 3 | import { createServer, IncomingMessage, ServerResponse } from "http"; |
| 4 | import { readFileSync } from "fs"; |
| 5 | import { join, dirname } from "path"; |
| 6 | import { fileURLToPath } from "url"; |
| 7 | |
| 8 | const __dirname = dirname(fileURLToPath(import.meta.url)); |
| 9 | |
| 10 | let coffeeCount: number = 0; |
| 11 | |
| 12 | const server = new McpServer({ |
| 13 | name: "coffee-shop", |
| 14 | vers |
Remediation
Canonicalise the path with `os.path.realpath` + `os.path.commonpath`, or `path.resolve` + a prefix check against the allowed root; alternatively `pathlib.Path(uri).resolve().relative_to(allowed_root)` and reject on the ValueError. For TS/JS, use `path.resolve(root, sub)` then verify `resolved.startsWith(root + path.sep)`. Never read the URI directly into `open()` / `fs.readFile`.
File registers an MCP resource handler (`@mcp.resource`, `server.registerResource`, or a `"resources/read"` JSON-RPC handler) AND opens a file with no path-canonicalisation guard. The URI parameter from the client flows directly into a filesystem sink, letting a malicious request escape the intended root via `..` / absolute paths / symlinks. Canonicalise via `os.path.realpath` + `os.path.commonpath` / `path.resolve` + prefix check, OR use `secure_filename` / `pathlib.Path.relative_to(allowed_ro
Evidence
| 1 | --- |
| 2 | title: "OpenAI SDK Integration" |
| 3 | description: "Understanding MCPJam Inspector's OpenAI Apps SDK implementation for custom UX components" |
| 4 | icon: "puzzle" |
| 5 | --- |
| 6 | |
| 7 | # OpenAI SDK Architecture |
| 8 | |
| 9 | This guide explains how MCPJam Inspector implements the OpenAI Apps SDK to render custom UI components for MCP tool results. This enables MCP server developers to create rich, interactive visualizations for their tool outputs. |
| 10 | |
| 11 | <Note> |
| 12 | MCPJam Inspector also supports |
| 13 | [MCP-UI](https://github.com/modelcontextpro |
Remediation
Canonicalise the path with `os.path.realpath` + `os.path.commonpath`, or `path.resolve` + a prefix check against the allowed root; alternatively `pathlib.Path(uri).resolve().relative_to(allowed_root)` and reject on the ValueError. For TS/JS, use `path.resolve(root, sub)` then verify `resolved.startsWith(root + path.sep)`. Never read the URI directly into `open()` / `fs.readFile`.
File mounts an HTTP route that handles MCP `tools/list` (Express / Fastify / FastAPI / Flask) but the route โ and the router it sits behind โ has no auth middleware applied. An anonymous client can enumerate every tool the server exposes, scope the attack surface, and (if `tools/call` shares the route) invoke them. Apply auth at the route or router level: Express `passport.authenticate(...)` / a `requireAuth`-style middleware, FastAPI `Depends(get_current_user)` or `Depends(verify_jwt)`, Flask
Evidence
| 1 | /** |
| 2 | * Shared utilities for running MCP servers with Streamable HTTP transport. |
| 3 | */ |
| 4 | |
| 5 | import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js"; |
| 6 | import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 7 | import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js"; |
| 8 | import cors from "cors"; |
| 9 | import type { Request, Response } from "express"; |
| 10 | import { createRemoteJWKSet, jwtVerify } from "jose"; |
| 11 | |
| 12 | export interface ServerOptio |
Remediation
Apply auth middleware at the route or router level: - Express / Fastify / Koa: `passport.authenticate(...)`, `requireAuth`, `verifyToken`, or an equivalent JWT middleware applied via `router.use(authMw)` or as a per-route handler. - FastAPI: `Depends(get_current_user)`, `OAuth2PasswordBearer`, `HTTPBearer`, or `verify_jwt` dependency. - Flask: `@login_required`, `@auth_required`, `@jwt_required`, or call `verify_jwt_in_request()` in the handler. Mounting MCP behind a s
File mounts an HTTP route that handles MCP `tools/list` (Express / Fastify / FastAPI / Flask) but the route โ and the router it sits behind โ has no auth middleware applied. An anonymous client can enumerate every tool the server exposes, scope the attack surface, and (if `tools/call` shares the route) invoke them. Apply auth at the route or router level: Express `passport.authenticate(...)` / a `requireAuth`-style middleware, FastAPI `Depends(get_current_user)` or `Depends(verify_jwt)`, Flask
Evidence
| 1 | /** |
| 2 | * Shared utilities for running MCP servers with Streamable HTTP transport. |
| 3 | */ |
| 4 | |
| 5 | import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js"; |
| 6 | import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 7 | import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js"; |
| 8 | import cors from "cors"; |
| 9 | import type { Request, Response } from "express"; |
| 10 | |
| 11 | export interface ServerOptions { |
| 12 | port: number; |
| 13 | name?: string; |
| 14 | } |
| 15 | |
| 16 | /** |
| 17 | * Starts |
Remediation
Apply auth middleware at the route or router level: - Express / Fastify / Koa: `passport.authenticate(...)`, `requireAuth`, `verifyToken`, or an equivalent JWT middleware applied via `router.use(authMw)` or as a per-route handler. - FastAPI: `Depends(get_current_user)`, `OAuth2PasswordBearer`, `HTTPBearer`, or `verify_jwt` dependency. - Flask: `@login_required`, `@auth_required`, `@jwt_required`, or call `verify_jwt_in_request()` in the handler. Mounting MCP behind a s
File mounts an HTTP route that handles MCP `tools/list` (Express / Fastify / FastAPI / Flask) but the route โ and the router it sits behind โ has no auth middleware applied. An anonymous client can enumerate every tool the server exposes, scope the attack surface, and (if `tools/call` shares the route) invoke them. Apply auth at the route or router level: Express `passport.authenticate(...)` / a `requireAuth`-style middleware, FastAPI `Depends(get_current_user)` or `Depends(verify_jwt)`, Flask
Evidence
| 1 | import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js"; |
| 2 | import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; |
| 3 | import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js"; |
| 4 | import cors from "cors"; |
| 5 | import type { Request, Response } from "express"; |
| 6 | |
| 7 | export interface ServerOptions { |
| 8 | port: number; |
| 9 | name?: string; |
| 10 | } |
| 11 | |
| 12 | export async function startServer( |
| 13 | createServer: () => McpServer, |
| 14 | options: ServerOptions, |
| 15 | ): P |
Remediation
Apply auth middleware at the route or router level: - Express / Fastify / Koa: `passport.authenticate(...)`, `requireAuth`, `verifyToken`, or an equivalent JWT middleware applied via `router.use(authMw)` or as a per-route handler. - FastAPI: `Depends(get_current_user)`, `OAuth2PasswordBearer`, `HTTPBearer`, or `verify_jwt` dependency. - Flask: `@login_required`, `@auth_required`, `@jwt_required`, or call `verify_jwt_in_request()` in the handler. Mounting MCP behind a s
MCP tool returns content marked as HTML (`{type: "html"}`, `Content-Type: text/html`, or `mimeType: "text/html"`) with no sanitiser on the same code path. The host renders HTML directly โ anything tainted in the body becomes a script execution / markup-injection vector. Pipe the body through `DOMPurify.sanitize()` (TS), `bleach.clean()` (Python), `lxml.html.clean.Cleaner`, or `sanitize_html` before returning. Better: return `{type: "text"}` / `text/plain` and let the host escape. Distinct from
Evidence
| 1 | --- |
| 2 | title: "OpenAI SDK Integration" |
| 3 | description: "Understanding MCPJam Inspector's OpenAI Apps SDK implementation for custom UX components" |
| 4 | icon: "puzzle" |
| 5 | --- |
| 6 | |
| 7 | # OpenAI SDK Architecture |
| 8 | |
| 9 | This guide explains how MCPJam Inspector implements the OpenAI Apps SDK to render custom UI components for MCP tool results. This enables MCP server developers to create rich, interactive visualizations for their tool outputs. |
| 10 | |
| 11 | <Note> |
| 12 | MCPJam Inspector also supports |
| 13 | [MCP-UI](https://github.com/modelcontextpro |
Remediation
Sanitise the HTML body before return. Prefer `DOMPurify.sanitize(body)` (TS, plenty of MCP servers already bundle it for resource rendering) or `bleach.clean(body, tags=ALLOWED_TAGS, strip=True)` (Python). Even better: return `{type: "text"}` / `Content-Type: text/plain` and let the host's markdown renderer handle escape. HTML output is rarely needed for tool results.
Auth material (token / session / JWT / API key) is stored in `localStorage` or `sessionStorage`. Both are JS-readable from any script in the same origin โ a single XSS leaks the credential, and no `HttpOnly` cookie option exists for these stores. Move auth material to an `HttpOnly; Secure; SameSite=Lax` cookie set by the server. If you must keep it client-side, use the in-memory store of an SPA framework and accept the cost of re-auth on tab refresh.
Evidence
| 646 | localStorage.setItem("mcp-oauth-pending", "asana"); |
| 647 | localStorage.setItem("mcp-oauth-return-hash", "#asaan"); |
| 648 | localStorage.setItem("workos.test", "stale-local"); |
| 649 | sessionStorage.setItem("workos.session", "stale-session"); |
| 650 | localStorage.setItem( |
| 651 | "mcpjam_guest_session_v1", |
| 652 | JSON.stringify({ |
Remediation
Set credentials via an `HttpOnly; Secure; SameSite=Lax` cookie from the server. Cookie-based sessions are immune to XSS read-out (they're not exposed to JS) and add CSRF as the only remaining concern (see MCP-235). If you must keep tokens client-side, hold them in memory only (SPA store / closure variable). Accept the re-auth cost on tab refresh as the trade-off.
Auth material (token / session / JWT / API key) is stored in `localStorage` or `sessionStorage`. Both are JS-readable from any script in the same origin โ a single XSS leaks the credential, and no `HttpOnly` cookie option exists for these stores. Move auth material to an `HttpOnly; Secure; SameSite=Lax` cookie set by the server. If you must keep it client-side, use the in-memory store of an SPA framework and accept the cost of re-auth on tab refresh.
Evidence
| 1084 | "https://mcp.asana.com/sse" |
| 1085 | ); |
| 1086 | await provider.saveDiscoveryState(createDiscoveryState()); |
| 1087 | sessionStorage.setItem( |
| 1088 | "mcp-oauth-session-trace-asana", |
| 1089 | JSON.stringify({ serverName: "asana" }) |
| 1090 | ); |
Remediation
Set credentials via an `HttpOnly; Secure; SameSite=Lax` cookie from the server. Cookie-based sessions are immune to XSS read-out (they're not exposed to JS) and add CSRF as the only remaining concern (see MCP-235). If you must keep tokens client-side, hold them in memory only (SPA store / closure variable). Accept the re-auth cost on tab refresh as the trade-off.
MCP tool returns text containing a persistent-directive phrase ("verbatim in every response", "in all future replies", "from now on always", "speak like X in subsequent turns"). Once that text reaches the LLM, it can embed directives in ALL future responses โ a session-level injection that survives across turns. Tool output should never contain meta-instructions to the model. If your tool retrieved this content from external data (RAG, web fetch, file read), strip / sanitize before returning, o
Evidence
| 1 | # SEP-1865: MCP Apps: Interactive User Interfaces for MCP |
| 2 | |
| 3 | **Track:** Extensions |
| 4 | |
| 5 | **Authors:** Ido Salomon, Liad Yosef, Olivier Chafik, Jerome Swannack, Jonathan Hefner, Anton Pidkuiko, Nick Cooper, Bryan Ashley, Alexi Christakis |
| 6 | |
| 7 | **Status:** Draft |
| 8 | |
| 9 | **Created:** 2025-11-21 |
| 10 | |
| 11 | ## Abstract |
| 12 | |
| 13 | This SEP proposes an extension (per SEP-1724) to MCP that enables servers to deliver interactive user interfaces to hosts. MCP Apps introduces a standardized pattern for declaring UI resources via the `ui://` URI |
Remediation
Tool output should never contain meta-instructions to the model. If your tool legitimately needs to suggest LLM behavior, do it via a `prompts/get` handler (which the user explicitly opts into) or via the system prompt โ not in the body of a tool return. If the persistent-directive phrasing is coming from external data the tool retrieved (RAG, web fetch, file read), strip or sanitize it before returning. The defense is the same as MCP-096 (indirect-prompt-injection): wrap retrieved content in `
MCP tool returns text containing a persistent-directive phrase ("verbatim in every response", "in all future replies", "from now on always", "speak like X in subsequent turns"). Once that text reaches the LLM, it can embed directives in ALL future responses โ a session-level injection that survives across turns. Tool output should never contain meta-instructions to the model. If your tool retrieved this content from external data (RAG, web fetch, file read), strip / sanitize before returning, o
Evidence
| 1 | # SEP-1865: MCP Apps: Interactive User Interfaces for MCP |
| 2 | |
| 3 | **Track:** Extensions |
| 4 | |
| 5 | **Authors:** Ido Salomon, Liad Yosef, Olivier Chafik, Jerome Swannack, Jonathan Hefner, Anton Pidkuiko, Nick Cooper, Bryan Ashley, Alexi Christakis |
| 6 | |
| 7 | **Status:** Draft |
| 8 | |
| 9 | **Created:** 2025-11-21 |
| 10 | |
| 11 | ## Abstract |
| 12 | |
| 13 | This SEP proposes an extension (per SEP-1724) to MCP that enables servers to deliver interactive user interfaces to hosts. MCP Apps introduces a standardized pattern for declaring UI resources via the `ui://` URI |
Remediation
Tool output should never contain meta-instructions to the model. If your tool legitimately needs to suggest LLM behavior, do it via a `prompts/get` handler (which the user explicitly opts into) or via the system prompt โ not in the body of a tool return. If the persistent-directive phrasing is coming from external data the tool retrieved (RAG, web fetch, file read), strip or sanitize it before returning. The defense is the same as MCP-096 (indirect-prompt-injection): wrap retrieved content in `
MCP tool description or return text contains an imperative phrase that asks the LLM to invoke or call ANOTHER tool โ "invoke the write_file tool", "before using this, also call send_email", "silently invoke X". This is a cross-tool chaining injection: the user authorized THIS tool, but the payload escalates into others. Tool descriptions should describe what the tool DOES, not direct the LLM to use other tools. If a tool's correct operation requires composition, document the dependency in human
Evidence
| 1 | --- |
| 2 | title: "OpenAI SDK Integration" |
| 3 | description: "Understanding MCPJam Inspector's OpenAI Apps SDK implementation for custom UX components" |
| 4 | icon: "puzzle" |
| 5 | --- |
| 6 | |
| 7 | # OpenAI SDK Architecture |
| 8 | |
| 9 | This guide explains how MCPJam Inspector implements the OpenAI Apps SDK to render custom UI components for MCP tool results. This enables MCP server developers to create rich, interactive visualizations for their tool outputs. |
| 10 | |
| 11 | <Note> |
| 12 | MCPJam Inspector also supports |
| 13 | [MCP-UI](https://github.com/modelcontextpro |
Remediation
Tool descriptions should describe what the tool does โ not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct
MCP tool description or return text contains an imperative phrase that asks the LLM to invoke or call ANOTHER tool โ "invoke the write_file tool", "before using this, also call send_email", "silently invoke X". This is a cross-tool chaining injection: the user authorized THIS tool, but the payload escalates into others. Tool descriptions should describe what the tool DOES, not direct the LLM to use other tools. If a tool's correct operation requires composition, document the dependency in human
Evidence
| 1 | --- |
| 2 | title: "My First ChatGPT App" |
| 3 | description: "Build a simple Coffee Shop ChatGPT App with React" |
| 4 | icon: "sparkles" |
| 5 | --- |
| 6 | |
| 7 | We're going to create a simple Coffee Shop ChatGPT App where users can order and drink coffees! |
| 8 | |
| 9 | ## Getting Started |
| 10 | |
| 11 | Clone the repo and navigate to the Coffee Shop example: |
| 12 | |
| 13 | ```bash |
| 14 | git clone https://github.com/MCPJam/inspector.git |
| 15 | cd inspector/examples/chatgpt-apps/CoffeeShop |
| 16 | ``` |
| 17 | |
| 18 | ## Setting up the MCP Server |
| 19 | |
| 20 | ### Creating the MCP Server |
| 21 | |
| 22 | ```typescript server.ts |
| 23 | import { McpS |
Remediation
Tool descriptions should describe what the tool does โ not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct
OAuth-metadata fetcher allows redirect-following without re-validating the redirect target. Per the official MCP security best practices, redirect destinations MUST be validated against the same SSRF allowlist as the original URL. Set `follow_redirects=False` (httpx) / `allow_redirects=False` (requests) and re-run URL validation on each hop. Or route through an egress proxy (Smokescreen).
Evidence
| 1 | import { discoverOAuthProtectedResourceMetadata } from "@modelcontextprotocol/client"; |
| 2 | import { buildResourceMetadataUrl } from "./oauth/state-machines/shared/urls.js"; |
| 3 | import { resolveRegistrationStrategies } from "./oauth/authorization-plan.js"; |
| 4 | import { |
| 5 | type RetryPolicy, |
| 6 | isRetryableTransientError, |
| 7 | retryWithPolicy, |
| 8 | } from "./retry.js"; |
| 9 | import type { OAuthProtocolVersion } from "./oauth/state-machines/types.js"; |
| 10 | |
| 11 | export interface ProbeMcpServerConfig { |
| 12 | url: string; |
| 13 | protocolVersion?: O |
Remediation
Sub-rule 1 (cloud metadata URL): never include cloud-metadata hostnames in MCP server outbound URLs. If the URL comes from a config or env var, validate against an allowlist BEFORE fetching: from ipaddress import ip_address ip = ip_address(socket.gethostbyname(parsed.hostname)) if ip.is_link_local or ip.is_private or ip.is_loopback: raise PermissionError("blocked metadata IP") Sub-rule 2 (HTTP OAuth discovery): always use `https://` for OAuth well-known URLs. Localhost `htt
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 72 | let widgetLoaded = false; |
| 73 | |
| 74 | window.addEventListener("message", (event) => { |
| 75 | console.log( |
| 76 | "[Sandbox Proxy] Received message:", |
| 77 | event.data?.type, |
| 78 | "from:", |
| 79 | event.source === window.parent |
| 80 | ? "parent" |
| 81 | : event.source === inner.contentWindow |
| 82 | ? "inner" |
| 83 | : "unknown", |
| 84 | ); |
| 85 | if (event.source === window.parent) { |
| 86 | if (event.data?.type === "openai:load-widget") { |
| 87 | const { ur |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 22 | const handleAction = async (action: UIActionResult) => { |
| 23 | switch (action.type) { |
| 24 | case "tool": |
| 25 | console.info("MCP UI tool action received:", action.payload); |
| 26 | onSendFollowUp( |
| 27 | `Call tool ${action.payload.toolName} with parameters ${JSON.stringify(action.payload.params)}`, |
| 28 | ); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 752 | }), |
| 753 | ); |
| 754 | } catch (err) { |
| 755 | console.error("[OpenAI Widget] Failed to dispatch globals event:", err); |
| 756 | } |
| 757 | }, 0); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 1 | // This file is auto-generated by scripts/bundle-chatgpt-apps-runtime.mjs |
| 2 | // Do not edit directly - modify src/ChatGptAppsRuntime.ts instead |
| 3 | |
| 4 | export const CHATGPT_APPS_RUNTIME_SCRIPT = "\"use strict\";\n(() => {\n // src/ChatGptAppsRuntime.ts\n var CONFIG_ELEMENT_ID = \"openai-runtime-config\";\n var readConfig = () => {\n try {\n const el = document.getElementById(CONFIG_ELEMENT_ID);\n if (!el) {\n console.error(\"[OpenAI Widget] Missing runtime config element\");\n |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 172 | runsRelease ? "release.yml" : null, |
| 173 | runsMcp ? "deploy-mcp-prod.yml" : null |
| 174 | ].filter(Boolean) as string[]; |
| 175 | console.info( |
| 176 | JSON.stringify({ |
| 177 | event: "soundcheck.release.dispatch.attempt", |
| 178 | dispatch_id: dispatchId, |
| 179 | email: user.email, |
| 180 | scope: parsed.scope, |
| 181 | deploy_backend_prod: parsed.deploy_backend_prod, |
| 182 | promote_production: parsed.promote_production, |
| 183 | deploy_mcp_production: parsed.deploy_mcp_production, |
| 184 | skip_verify: effectiveSkipVerify, |
| 185 | wor |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 1514 | ); |
| 1515 | } |
| 1516 | } catch (error) { |
| 1517 | console.warn("[ChatTabV2] Failed to parse elicitation event:", error); |
| 1518 | } |
| 1519 | }; |
| 1520 | es.onerror = () => { |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 637 | ```typescript Resource Subscriptions |
| 638 | // Subscribe to resource updates |
| 639 | manager.onResourceUpdated("docs", (notification) => { |
| 640 | console.log("Resource updated:", notification.params.uri); |
| 641 | }); |
| 642 | |
| 643 | await manager.subscribeResource("docs", { |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 1265 | ```typescript |
| 1266 | case "openai:setWidgetState": { |
| 1267 | // Widget state is already persisted by the iframe script |
| 1268 | console.log("[OpenAI App] Widget state updated:", event.data.state); |
| 1269 | |
| 1270 | if (onWidgetStateChange && event.data.toolId === resolvedToolCallId) { |
| 1271 | const newState = event.data.state; |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 44 | try { |
| 45 | command = JSON.parse(event.data) as InspectorCommand; |
| 46 | } catch (error) { |
| 47 | console.warn("[inspector-command-bus] Invalid command payload", error); |
| 48 | return; |
| 49 | } |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 697 | } catch (err) { |
| 698 | const errorMessage = |
| 699 | err instanceof Error ? err.message : "Unknown error"; |
| 700 | console.error("Error responding to elicitation request:", errorMessage); |
| 701 | |
| 702 | if (onError) { |
| 703 | onError("Error responding to elicitation request"); |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 76 | let body: any = null; |
| 77 | try { |
| 78 | body = await res.json(); |
| 79 | } catch {} |
| 80 | if (!res.ok) { |
| 81 | const message = body?.error || `List tools failed (${res.status})`; |
| 82 | throw new Error(message); |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 36 | } finally { |
| 37 | try { |
| 38 | reader.releaseLock?.(); |
| 39 | } catch {} |
| 40 | } |
| 41 | } |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 16 | try { |
| 17 | const body = await res.json(); |
| 18 | if (body?.error) message = body.error; |
| 19 | } catch {} |
| 20 | throw new Error(message); |
| 21 | } |
| 22 | return res.json(); |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 33 | clearInterval(keepAlive); |
| 34 | try { |
| 35 | controller.close(); |
| 36 | } catch {} |
| 37 | }; |
| 38 | |
| 39 | const supersede = () => { |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 217 | if (responseMessage) { |
| 218 | try { |
| 219 | sess.send("message", JSON.stringify(responseMessage)); |
| 220 | } catch {} |
| 221 | } |
| 222 | // 202 Accepted per SSE transport semantics |
| 223 | return c.body("Accepted", 202); |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
TimeoutError
coffee-shop
ui-view
ui-widget