AlejandroArciniegas mcp-data-vis MCP server.js request sql injection
Platform
nodejs
Component
mcp-data-vis
A vulnerability has been found in AlejandroArciniegas mcp-data-vis bc597e391f184d2187062fd567599a3cb72adf51/de5a51525a69822290eaee569a1ab447b490746d. This affects the function Request of the file src/servers/database/server.js of the component MCP Handler. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.
How to fix
Este CVE describe una vulnerabilidad de inyección SQL en el paquete mcp-data-vis. Dado que no hay una versión fija disponible, la recomendación es dejar de usar el paquete o aplicar un parche manual a la función Request en el archivo src/servers/database/server.js para sanitizar las entradas y evitar la inyección SQL. Alternativamente, se puede implementar una capa de abstracción de base de datos que prevenga este tipo de ataques.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free