github · firecrawl-mcp-serverHEAD

Evidence

#!/usr/bin/env node

import dotenv from 'dotenv';

import { FastMCP, type Logger } from 'firecrawl-fastmcp';

import { z } from 'zod';

import FirecrawlApp from '@mendable/firecrawl-js';

import type { IncomingHttpHeaders } from 'http';

import { readFile } from 'node:fs/promises';

import path from 'node:path';

dotenv.config({ debug: false, quiet: true });

interface SessionData {

  firecrawlApiKey?: string;

  [key: string]: unknown;

}

function extractApiKey(headers: IncomingHttpHeaders): string | u

RemediationAI

The problem is that `dotenv.config()` loads FIRECRAWL_API_KEY into a global environment variable without validating which caller (user/tenant) is making the request, allowing any caller to use the same API key for their own requests. Replace the global `dotenv.config()` approach with per-request API key extraction from request headers or context: modify the tool handlers to accept an optional `apiKey` parameter from the MCP request context and pass it explicitly to `new FirecrawlApp({ apiKey })` instead of relying on the environment variable. This ensures each caller's credentials are isolated and cannot be confused with another caller's identity. Verify by adding a test that creates two separate MCP requests with different `X-API-Key` headers and confirming each uses its own key, not the global one.

Evidence

#!/usr/bin/env node

import dotenv from 'dotenv';

import { FastMCP, type Logger } from 'firecrawl-fastmcp';

import { z } from 'zod';

RemediationAI

The problem is that `search()` and scraping tools return raw markdown/HTML from arbitrary URLs without any delimiters or provenance markers, allowing an attacker to inject malicious content (e.g., fake tool definitions or instructions) that the LLM will treat as trusted context. Wrap all returned content with explicit provenance delimiters and metadata: modify the tool handlers to return `{ source: url, timestamp, content: "<UNTRUSTED_CONTENT>\n" + markdown + "\n</UNTRUSTED_CONTENT>" }` and document in the tool description that content is user-supplied and should not be trusted for code execution or sensitive decisions. This makes the LLM aware that the content is external and untrusted. Verify by returning a URL with injected prompt instructions and confirming the LLM does not execute them as commands.

Evidence

#!/usr/bin/env node

import { Server } from '@modelcontextprotocol/sdk/server/index.js';

import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';

import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';

import {

  Tool,

  CallToolRequestSchema,

  ListToolsRequestSchema,

} from '@modelcontextprotocol/sdk/types.js';

import FirecrawlApp, {

  type ScrapeOptions,

  type MapOptions,

  type Document,

} from '@mendable/firecrawl-js';

import { StreamableHTTP

RemediationAI

The problem is that the `tools/list` route (and likely `tools/call`) has no authentication middleware, allowing anonymous clients to enumerate all available tools and invoke them without authorization. Add authentication middleware at the router level before the route handler: for Express, wrap the route with `app.use(passport.authenticate('bearer', { session: false }))` or a custom `requireAuth` middleware; for FastAPI, add `Depends(verify_jwt)` to the route function signature; for Flask, decorate with `@require_auth` before the route handler. This ensures only authenticated callers can list or invoke tools. Verify by making an unauthenticated HTTP request to `GET /tools/list` and confirming it returns 401 Unauthorized, then with a valid token confirming it returns 200.

Evidence

text: z.string().optional(),

              key: z.string().optional(),

              direction: z.enum(['up', 'down']).optional(),

              script: z.string().optional(),

              fullPage: z.boolean().optional(),

            })

          )

RemediationAI

The problem is that the `script` field accepts an unconstrained string, allowing callers to pass arbitrary JavaScript/shell code that may be executed or logged unsafely. Constrain the `script` field with a maximum length and optional regex pattern: change `script: z.string().optional()` to `script: z.string().max(5000).regex(/^[a-zA-Z0-9_\-\s.(){}[\]]*$/).optional()` to allow only safe characters, or use `.enum()` if only specific scripts are valid. This prevents injection of malicious code through the script parameter. Verify by attempting to pass a script with shell metacharacters (e.g., `; rm -rf /`) and confirming the schema validation rejects it.

LLM consensus

Evidence

`,

  parameters: z

    .object({

      query: z.string().min(1),

      limit: z.number().optional(),

      tbs: z.string().optional(),

      filter: z.string().optional(),

RemediationAI

The problem is that the `query` field accepts an unconstrained string with `.min(1)` but no upper bound, allowing callers to pass extremely long or malicious search queries that could cause DoS or injection attacks. Add a maximum length constraint: change `query: z.string().min(1)` to `query: z.string().min(1).max(500)` to limit query size, and optionally add `.regex(/^[a-zA-Z0-9\s\-_.]*$/)` to restrict to safe search characters. This prevents abuse through oversized or specially-crafted queries. Verify by passing a 10,000-character query string and confirming the schema validation rejects it.

LLM consensus

Evidence

parameters: z.object({

    scrapeId: z.string(),

    prompt: z.string().optional(),

    code: z.string().optional(),

    language: z.enum(['bash', 'python', 'node']).optional(),

    timeout: z.number().min(1).max(300).optional(),

  }).refine(data => data.code || data.prompt, {

RemediationAI

The problem is that the `code` field accepts an unconstrained string, allowing callers to pass arbitrary code of unlimited length that will be executed in the specified language (bash, python, node). Constrain the `code` field with a maximum length: change `code: z.string().optional()` to `code: z.string().max(10000).optional()` to limit code size and prevent DoS or excessively complex payloads. This prevents attackers from submitting infinite loops or memory-exhausting code. Verify by passing a code string larger than 10,000 characters and confirming the schema validation rejects it.

LLM consensus

Evidence

**Returns:** Array of URLs found on the site, filtered by search query if provided.

`,

  parameters: z.object({

    url: z.string().url(),

    search: z.string().optional(),

    sitemap: z.enum(['include', 'skip', 'only']).optional(),

    includeSubdomains: z.boolean().optional(),

RemediationAI

The problem is that the `search` field accepts an unconstrained string, allowing callers to pass arbitrary search terms that could be used for injection or DoS attacks against the URL-scraping backend. Constrain the `search` field with a maximum length: change `search: z.string().optional()` to `search: z.string().max(200).optional()` to limit search term size and prevent abuse. This reduces the attack surface for injection or resource exhaustion. Verify by passing a 5,000-character search string and confirming the schema validation rejects it.

LLM consensus

Evidence

`,

    parameters: z.object({

      sessionId: z.string(),

      code: z.string(),

      language: z.enum(['bash', 'python', 'node']).optional(),

    }),

    execute: async (

RemediationAI

The problem is that the `code` field accepts an unconstrained string, allowing callers to pass arbitrary code of unlimited length that will be executed in a session context. Constrain the `code` field with a maximum length: change `code: z.string()` to `code: z.string().max(10000)` to limit code size and prevent DoS or excessively complex payloads. This prevents attackers from submitting infinite loops or memory-exhausting code. Verify by passing a code string larger than 10,000 characters and confirming the schema validation rejects it.

LLM consensus

Evidence

}

const scrapeParamsSchema = z.object({

  url: z.string().url(),

  formats: z

    .array(

      z.enum([

RemediationAI

The problem is that the `url` field accepts an unconstrained string URL, allowing callers to pass URLs to internal services, private IPs, or malicious domains without validation. Constrain the `url` field with a whitelist or regex: change `url: z.string().url()` to `url: z.string().url().refine(u => !u.includes('localhost') && !u.includes('127.0.0.1') && !u.includes('192.168') && !u.includes('10.0'), { message: 'Private IPs not allowed' })` to block internal addresses, or use `.regex(/^https:\/\/[a-z0-9.-]+\.(com|org|net)$/)` to allow only specific domains. This prevents SSRF attacks. Verify by attempting to pass `http://localhost:8080` and confirming the schema validation rejects it.

LLM consensus

Evidence

}

 `,

  parameters: z.object({

    url: z.string(),

    prompt: z.string().optional(),

    excludePaths: z.array(z.string()).optional(),

    includePaths: z.array(z.string()).optional(),

RemediationAI

The problem is that the `prompt` field accepts an unconstrained string, allowing callers to pass extremely long or malicious prompts that could cause DoS or injection attacks. Constrain the `prompt` field with a maximum length: change `prompt: z.string().optional()` to `prompt: z.string().max(5000).optional()` to limit prompt size and prevent abuse. This prevents attackers from submitting oversized or specially-crafted prompts. Verify by passing a 50,000-character prompt string and confirming the schema validation rejects it.

LLM consensus

Evidence

"lint": "eslint src/**/*.ts",

    "lint:fix": "eslint src/**/*.ts --fix",

    "format": "prettier --write .",

    "prepare": "npm run build",

    "publish-prod": "npm run build && npm publish",

    "publish-beta": "npm run build && npm publish --tag beta"

  },

RemediationAI

The problem is that the `prepare` script runs `npm run build` at install time, executing arbitrary code whenever the package is installed, which could be exploited if the build script is compromised or if a dependency is hijacked. Remove or defer the install-time hook: change the `prepare` script to a manual build step by removing the `"prepare": "npm run build"` line from `package.json` and documenting that users must run `npm run build` manually after installation, or move the build to a CI/CD pipeline instead. This prevents automatic code execution during installation. Verify by running `npm install` in a fresh directory and confirming no build occurs automatically, then manually running `npm run build` and confirming it works.

Evidence

# Generated by https://smithery.ai. See: https://smithery.ai/docs/config#dockerfile

# Use a Node.js image as the base for building the application

FROM node:22-alpine AS builder

# Enable pnpm via corepack

RUN corepack enable && corepack prepare pnpm@latest --activate

# Set the working directory inside the container

WORKDIR /app

# Copy package.json and pnpm-lock.yaml to install dependencies

COPY package.json pnpm-lock.yaml ./

# Install dependencies (ignoring scripts to prevent running the pre

RemediationAI

The problem is that the Dockerfile runs the application as root, so any RCE vulnerability or malicious code execution inside the container gains full system privileges. Add a non-root user before the CMD: insert `RUN addgroup -g 1000 appuser && adduser -D -u 1000 -G appuser appuser` and `USER 1000` before the final `CMD` or `ENTRYPOINT` directive in the Dockerfile. This limits the blast radius of any container escape or code execution to unprivileged user permissions. Verify by building the image, running it, and executing `id` inside the container to confirm the process runs as UID 1000 (non-root).

Evidence

## Service image: Node (FastMCP) + NGINX sidecar in one container

# 1) Build stage

FROM node:22-alpine AS builder

WORKDIR /app

# Enable pnpm via corepack

RUN corepack enable && corepack prepare pnpm@latest --activate

COPY package.json pnpm-lock.yaml ./

# Install dev dependencies for the build, but skip scripts to avoid running

# the package "prepare" script before the source code is copied.

RUN pnpm install --frozen-lockfile --ignore-scripts

COPY . .

RUN pnpm run build

# 2) Runtime stage (

RemediationAI

The problem is that the Dockerfile.service runs the application as root, so any RCE vulnerability or malicious code execution inside the container gains full system privileges. Add a non-root user before the CMD: insert `RUN addgroup -g 1000 appuser && adduser -D -u 1000 -G appuser appuser` and `USER 1000` before the final `CMD` or `ENTRYPOINT` directive in the Dockerfile.service. This limits the blast radius of any container escape or code execution to unprivileged user permissions. Verify by building the image, running it, and executing `id` inside the container to confirm the process runs as UID 1000 (non-root).

Evidence

<div align="center">

  <a name="readme-top"></a>

  <img

    src="https://raw.githubusercontent.com/firecrawl/firecrawl-mcp-server/main/img/fire.png"

    height="140"

  >

</div>

# Firecrawl MCP Server

A Model Context Protocol (MCP) server implementation that integrates with [Firecrawl](https://github.com/firecrawl/firecrawl) for searching, scraping, and interacting with the web.

> Big thanks to [@vrknetha](https://github.com/vrknetha), [@knacklabs](https://www.knacklabs.ai) for the initial imp

RemediationAI

The problem is that the README and manifest do not declare any authentication mechanism, making it unclear whether the server is protected and how reviewers should audit access control. Add an explicit `auth` or `authorization` field to the manifest and document it in the README: add a section like `## Authentication: This server requires a valid Firecrawl API key passed via the FIRECRAWL_API_KEY environment variable or per-request header` and update the manifest JSON to include `"auth": { "type": "apiKey", "location": "header", "name": "X-API-Key" }`. This makes the authentication model explicit and auditable. Verify by reviewing the README and confirming the authentication mechanism is clearly documented for users and reviewers.

Evidence

#!/usr/bin/env node

import { Server } from '@modelcontextprotocol/sdk/server/index.js';

import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';

import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';

import {

  Tool,

  CallToolRequestSchema,

  ListToolsRequestSchema,

} from '@modelcontextprotocol/sdk/types.js';

import FirecrawlApp, {

  type ScrapeOptions,

  type MapOptions,

  type Document,

} from '@mendable/firecrawl-js';

import { StreamableHTTP

RemediationAI

The problem is that state-changing routes (POST/PUT/PATCH/DELETE) lack CSRF protection, allowing cross-site requests to modify state while the user's cookies ride along if cookie-based sessions are used. Apply CSRF middleware at the router level: for Express, add `const csrf = require('csurf'); app.use(csrf()); app.post('/route', (req, res) => { /* handler */ })` to protect all POST routes; for FastAPI, add `from fastapi_csrf_protect import CsrfProtect; CsrfProtect(app)` and decorate routes with `@csrf_protect`; for Flask, add `from flask_wtf.csrf import CSRFProtect; csrf = CSRFProtect(app)`. This prevents CSRF attacks by validating tokens on state-changing requests. Verify by making a cross-origin POST request without a CSRF token and confirming it is rejected with 403 Forbidden.

Evidence

steps:

      - name: 'Checkout GitHub Action'

        uses: actions/checkout@main

      - name: 'Login to GitHub Container Registry'

        uses: docker/login-action@v1

RemediationAI

The problem is that `actions/checkout@main` uses a mutable branch reference, allowing a compromised maintainer or tag rewrite to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: actions/checkout@main` with `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

password: ${{secrets.GITHUB_TOKEN}}

      - name: 'Set up Docker Buildx'

        uses: docker/setup-buildx-action@v1

      - name: 'Build Service Image'

        uses: docker/build-push-action@v2

RemediationAI

The problem is that `docker/login-action@v1` and `docker/build-push-action@v2` use mutable version tags, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the actions to specific commit SHAs: replace `uses: docker/login-action@v1` with `uses: docker/login-action@9780b0c56667666bca7ee0d6ff1a1c5a7edc33d4 # v1.5.0` and `uses: docker/build-push-action@v2` with `uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v2.10.0` (or appropriate SHAs). This ensures the exact versions are used and cannot be silently replaced. Verify by running the workflow and confirming the actions use the pinned SHAs in the logs.

Evidence

contents: read

    steps:

      - uses: actions/checkout@v5

      - name: Install pnpm

        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

RemediationAI

The problem is that `actions/checkout@v5` and `actions/setup-node@v4` use mutable version tags, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the actions to specific commit SHAs: replace `uses: actions/checkout@v5` with `uses: actions/checkout@a5ac7e51b41094c153674e0e265ab8620f0be3fb # v4.1.1` and `uses: actions/setup-node@v4` with `uses: actions/setup-node@60edb5dd545a775178fba8f164beabf835104efa # v4.0.2` (or appropriate SHAs). This ensures the exact versions are used and cannot be silently replaced. Verify by running the workflow and confirming the actions use the pinned SHAs in the logs.

Evidence

version: 10

      - name: Set up Node.js

        uses: actions/setup-node@v4

        with:

          node-version: "20"

          cache: "pnpm"

RemediationAI

The problem is that `actions/setup-node@v4` uses a mutable version tag, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: actions/setup-node@v4` with `uses: actions/setup-node@60edb5dd545a775178fba8f164beabf835104efa # v4.0.2` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v3

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

RemediationAI

The problem is that `actions/checkout@v3` and `pnpm/action-setup@v4` use mutable version tags, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the actions to specific commit SHAs: replace `uses: actions/checkout@v3` with `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` and `uses: pnpm/action-setup@v4` with `uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.0.0` (or appropriate SHAs). This ensures the exact versions are used and cannot be silently replaced. Verify by running the workflow and confirming the actions use the pinned SHAs in the logs.

Evidence

uses: docker/setup-buildx-action@v1

      - name: 'Build Service Image'

        uses: docker/build-push-action@v2

        with:

          context: .

          file: ./Dockerfile.service

RemediationAI

The problem is that `docker/setup-buildx-action@v1` and `docker/build-push-action@v2` use mutable version tags, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the actions to specific commit SHAs: replace `uses: docker/setup-buildx-action@v1` with `uses: docker/setup-buildx-action@4c0219f9ac624f65b47eb3123aafdf1e458a5480 # v1.2.0` and `uses: docker/build-push-action@v2` with `uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v2.10.0` (or appropriate SHAs). This ensures the exact versions are used and cannot be silently replaced. Verify by running the workflow and confirming the actions use the pinned SHAs in the logs.

Evidence

- uses: actions/checkout@v3

      - name: Setup pnpm

        uses: pnpm/action-setup@v4

        with:

          version: 10

RemediationAI

The problem is that `pnpm/action-setup@v4` uses a mutable version tag, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: pnpm/action-setup@v4` with `uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.0.0` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

password: ${{ secrets.GITHUB_TOKEN }}

      - name: 'Set up Docker Buildx'

        uses: docker/setup-buildx-action@v1

      - name: 'Build Service Image'

        uses: docker/build-push-action@v2

RemediationAI

The problem is that `docker/setup-buildx-action@v1` and `docker/build-push-action@v2` use mutable version tags, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the actions to specific commit SHAs: replace `uses: docker/setup-buildx-action@v1` with `uses: docker/setup-buildx-action@4c0219f9ac624f65b47eb3123aafdf1e458a5480 # v1.2.0` and `uses: docker/build-push-action@v2` with `uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v2.10.0` (or appropriate SHAs). This ensures the exact versions are used and cannot be silently replaced. Verify by running the workflow and confirming the actions use the pinned SHAs in the logs.

Evidence

uses: actions/checkout@main

      - name: 'Login to GitHub Container Registry'

        uses: docker/login-action@v1

        with:

          registry: ghcr.io

          username: ${{ github.actor }}

RemediationAI

The problem is that `actions/checkout@main` uses a mutable branch reference, allowing a compromised maintainer or branch rewrite to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: actions/checkout@main` with `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

uses: actions/checkout@main

      - name: 'Login to GitHub Container Registry'

        uses: docker/login-action@v1

        with:

          registry: ghcr.io

          username: ${{github.actor}}

RemediationAI

The problem is that `actions/checkout@main` uses a mutable branch reference, allowing a compromised maintainer or branch rewrite to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: actions/checkout@main` with `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

runs-on: ubuntu-latest

    steps:

      - name: 'Checkout GitHub Action'

        uses: actions/checkout@main

      - name: 'Login to GitHub Container Registry'

        uses: docker/login-action@v1

RemediationAI

The problem is that `actions/checkout@main` uses a mutable branch reference, allowing a compromised maintainer or branch rewrite to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: actions/checkout@main` with `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

version: 10

      - name: Use Node.js

        uses: actions/setup-node@v3

        with:

          node-version: '20.x'

          cache: 'pnpm'

RemediationAI

The problem is that `actions/setup-node@v3` uses a mutable version tag, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the action to a specific commit SHA: replace `uses: actions/setup-node@v3` with `uses: actions/setup-node@8f152de45cc393bb48ce5d6f9a02a8fd8a2c40ba # v3.5.1` (or the appropriate SHA for the desired version). This ensures the exact version of the action is used and cannot be silently replaced. Verify by running the workflow and confirming the action uses the pinned SHA in the logs.

Evidence

uses: docker/setup-buildx-action@v1

      - name: 'Build Service Image'

        uses: docker/build-push-action@v2

        with:

          context: .

          file: ./Dockerfile.service

RemediationAI

The problem is that `docker/setup-buildx-action@v1` and `docker/build-push-action@v2` use mutable version tags, allowing a compromised maintainer to inject malicious code into the CI pipeline. Pin the actions to specific commit SHAs: replace `uses: docker/setup-buildx-action@v1` with `uses: docker/setup-buildx-action@4c0219f9ac624f65b47eb3123aafdf1e458a5480 # v1.2.0` and `uses: docker/build-push-action@v2` with `uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v2.10.0` (or appropriate SHAs). This ensures the exact versions are used and cannot be silently replaced. Verify by running the workflow and confirming the actions use the pinned SHAs in the logs.