Mostly safe — a couple of notes worth reading.
Scanned 4/30/2026, 10:02:45 AM·Fast Scan·45 rules·How we decide ↗
AIVSS Score
Low
Severity Breakdown
0
critical
1
high
243
medium
0
low
MCP Server Information
Findings
Dependencies
@hono/node-server (2)
hono (54)
@cloudflare/vite-plugin (1)
Scan Details
Want deeper analysis?
Fast scan found 16 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.
Building your own MCP server?
Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasn’t shipped yet.
16 of 16 findings
16 findings
MCP tool returns content marked as HTML (`{type: "html"}`, `Content-Type: text/html`, or `mimeType: "text/html"`) with no sanitiser on the same code path. The host renders HTML directly — anything tainted in the body becomes a script execution / markup-injection vector. Pipe the body through `DOMPurify.sanitize()` (TS), `bleach.clean()` (Python), `lxml.html.clean.Cleaner`, or `sanitize_html` before returning. Better: return `{type: "text"}` / `text/plain` and let the host escape. Distinct from
Evidence
| 1 | import { McpAgent } from 'agents/mcp' |
| 2 | |
| 3 | import { getEnv } from '@repo/mcp-common/src/env' |
| 4 | import { CloudflareMCPServer } from '@repo/mcp-common/src/server' |
| 5 | |
| 6 | // The demo day MCP server isn't stateful, so we don't have state/props |
| 7 | export type Props = never |
| 8 | |
| 9 | export type State = never |
| 10 | |
| 11 | export type Env = { |
| 12 | ENVIRONMENT: 'development' | 'staging' | 'production' |
| 13 | AUTORAG_NAME: 'cloudflare-docs-autorag' |
| 14 | MCP_SERVER_NAME: 'PLACEHOLDER' |
| 15 | MCP_SERVER_VERSION: 'PLACEHOLDER' |
| 16 | MCP_OBJECT: DurableObjectNamespace |
Remediation
Sanitise the HTML body before return. Prefer `DOMPurify.sanitize(body)` (TS, plenty of MCP servers already bundle it for resource rendering) or `bleach.clean(body, tags=ALLOWED_TAGS, strip=True)` (Python). Even better: return `{type: "text"}` / `Content-Type: text/plain` and let the host's markdown renderer handle escape. HTML output is rarely needed for tool results.
@modelcontextprotocol/sdk==1.20.2 has 3 known CVEs [HIGH]: GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
@modelcontextprotocol/sdk==1.20.2 has 3 known CVEs [HIGH]: GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
@modelcontextprotocol/sdk==1.20.2 has 3 known CVEs [HIGH]: GHSA-345p-7cg4-v4c7, GHSA-8r9q-7v3j-jr4g, GHSA-w48q-cv73-mx4w. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
hono==4.7.6 has 20 known CVEs [HIGH]: GHSA-26pp-8wgv-hjvm, GHSA-3vhc-576x-3qv4, GHSA-458j-xx4x-4375 (+17 more). Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
hono==4.7.6 has 20 known CVEs [HIGH]: GHSA-26pp-8wgv-hjvm, GHSA-3vhc-576x-3qv4, GHSA-458j-xx4x-4375 (+17 more). Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
ai==4.3.10 has 1 known CVE [LOW]: GHSA-rwvc-j5jr-mgvh. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
wrangler==4.10.0 has 1 known CVE [HIGH]: GHSA-36p8-mvp6-cv38. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
agents==0.2.19 has 3 known CVEs [MEDIUM]: GHSA-cvhv-6xm6-c3v4, GHSA-r7x9-8ph7-w8cg, GHSA-w5cr-2qhr-jqc5. Upgrade to a patched version.
Remediation
Upgrade the pinned dependency to a patched version. Check the CVE's advisory URL for the recommended safe release, or use `npm audit fix` / `pip-audit --fix`. If no patched release is available yet, pin to a known-good prior version, vendor the fix, or remove the dependency.
mcp_demo_day_info