GHSA-rp72-5v5q-2446LowDisclosed before NVD

@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url

Published
June 26, 2026
Last Modified
June 26, 2026

📋 Description

Summary

@cardano402/mcp-server versions <= 0.1.1 ship three security gaps that can lead to unauthorized fund movement when the package is used as designed (an MCP server exposing Cardano payment tools to an

Impact

1. No spending limits on signed payments

An LLM (or prompt-injected LLM) calling tools registered by the MCP server can invoke them in a loop. Each call signs a real Cardano transaction for the catalog-advertised amount. There is no per-call cap, daily ceiling, MCP elicitation/confirmation step, or recipient allowlist. The MAINNET=true env-var guardrail can be bypassed by any LLM with shell-tool access. Worst case: full wallet drain.

2. HTTP transport binds 0.0.0.0 without authentication

cardano402-mcp --transport http listens on all interfaces with no Origin allowlist, no bearer-token requirement, and no CORS check. Anyone on the same LAN can POST MCP tools/call and trigger signed payments from the operator's wallet.

3. SSRF via catalog.server.url

A malicious catalog can declare a server.url pointing at internal infrastructure (e.g. http://169.254.169.254/latest/meta-data). The allowInsecure guard in 0.1.1 only checks the catalog URL itself, not the server.url it returns. endpoint.path is also not normalized, so .. traversal or absolute URLs work.

Patches

Fixed in @cardano402/[email protected]:

  • Per-call and per-day spending limits (default 5 ADA / 50 ADA) + optional recipient allowlist + MCP elicitation/create confirmation hook.
  • HTTP transport defaults to 127.0.0.1; non-loopback requires --http-bearer-token; per-request Origin allowlist + bearer check.
  • catalog.server.url validated against private-CIDR rules (RFC1918, RFC4193, link-local, CGNAT, multicast, IPv4-mapped IPv6, loopback) unless CARDANO402_ALLOW_INSECURE=true.
  • endpoint.path rejected if it contains .., NUL, whitespace/CRLF, an absolute URL, or //host/....
  • Per-tool mainnet opt-in via --mainnet-confirmed-tools.

Workarounds for 0.1.1 users

  • Do not run with --transport http on an untrusted network; use --transport stdio (default).
  • Only point the server at catalogs you control or have audited.
  • Use a low-balance hot wallet, never your main wallet.
  • Avoid MAINNET=true until upgraded to 0.1.2.

🎯 Affected products1

  • npm/@cardano402/mcp-server:<= 0.1.1

🔗 References (2)