JinaAI Search
Integrates JinaAI's search capabilities for web content discovery, information retrieval, and data extraction
0Tools
9Findings
3Stars
Mar 22, 2026Last Scanned
4 critical · 3 high · 1 medium · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings9
4critical
3high
1medium
1low
Critical4
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`Unknown tool: ${request.params.name}`" (at position 3102)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
criticalK14Agent Credential Propagation via Shared StateMCP05-privilege-escalationAML.T0054
Pattern "(process\.env|os\.environ|setenv|putenv).*(?:token|credential|api[_\s-]?key|secret|password)" matched in source_code: "process.env.JINAAI_API_KEY" (at position 666)
Never write credentials to shared agent state. Use credential vaults (HashiCorp Vault, AWS Secrets Manager) with per-agent scoped access. Implement OAuth token exchange (RFC 8693) for cross-agent authorization. Redact credentials from all agent outputs before writing to shared memory. Required by OWASP ASI03/ASI07 and MAESTRO L7.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "npx\s+(?:mcp-remote|mcp-proxy|mcp-gateway|@modelcontextprotocol)(?!@\d)" matched in source_code: "npx @modelcontextprotocol" (at position 6438)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalQ8Cross-Protocol Authentication ConfusionMCP07-insecure-configT1550
Pattern "(?:oauth|bearer).{0,100}(?:api[_\s-]?key|x-api-key|apiKey)" matched in source_code: "Bearer ${API_KEY" (at position 4050)
MCP servers supporting multiple protocols must enforce authentication independently per protocol. Never reuse OAuth tokens across protocol boundaries. Implement protocol-specific middleware with explicit auth checks on every path. Audit auth coverage for all transport types (stdio, SSE, Streamable HTTP, REST). Reference: CVE-2025-6514 demonstrated that auth library vulnerabilities in MCP's OAuth layer cascade to all protocols sharing the same auth middleware.
High3
highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "(invoke|call|execute)[_\s-]?(?:tool|agent|self)(?!.*(?:depth|level|limit|max[_\s-]?(?:depth|recursi|iter|call)|count))" matched in source_code: "CallTool" (at position 212)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "@modelcontextprotocol/sdk@1.8.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highQ14Concurrent MCP Server Race ConditionMCP07-insecure-configT1068
Pattern "(?:read|write|modify|delete).*(?:file|path|directory)(?!.*(?:lock|mutex|semaphore|flock|atomic))" matched in source_code: "readFile" (at position 337)
MCP servers sharing filesystem or database backends with other servers must implement proper concurrency controls. Use: (1) file locking (flock/lockfile) for filesystem operations, (2) database transactions for all read-modify-write sequences, (3) atomic file operations (O_EXCL, mkdtemp) instead of check-then-create, (4) lstat() to detect symlinks before following (CVE-2025-53109). Never assume exclusive access to shared resources — other MCP servers may be operating concurrently.
Medium1
mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:fetch|axios|got|request|urllib|httpx|http\.get|http\.post)\s*\((?!.*(?:timeout|signal|AbortSignal|deadline|cancel))" matched in source_code: "fetch(" (at position 4940)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.