@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
📋 Description
Summary
@cardano402/mcp-server versions <= 0.1.1 ship three security gaps that can lead to unauthorized fund movement when the package is used as designed (an MCP server exposing Cardano payment tools to an
Impact
1. No spending limits on signed payments
An LLM (or prompt-injected LLM) calling tools registered by the MCP server can invoke them in a loop. Each call signs a real Cardano transaction for the catalog-advertised amount. There is no per-call cap, daily ceiling, MCP elicitation/confirmation step, or recipient allowlist. The MAINNET=true env-var guardrail can be bypassed by any LLM with shell-tool access. Worst case: full wallet drain.
2. HTTP transport binds 0.0.0.0 without authentication
cardano402-mcp --transport http listens on all interfaces with no Origin allowlist, no bearer-token requirement, and no CORS check. Anyone on the same LAN can POST MCP tools/call and trigger signed payments from the operator's wallet.
3. SSRF via catalog.server.url
A malicious catalog can declare a server.url pointing at internal infrastructure (e.g. http://169.254.169.254/latest/meta-data). The allowInsecure guard in 0.1.1 only checks the catalog URL itself, not the server.url it returns. endpoint.path is also not normalized, so .. traversal or absolute URLs work.
Patches
Fixed in @cardano402/[email protected]:
- Per-call and per-day spending limits (default 5 ADA / 50 ADA) + optional recipient allowlist + MCP
elicitation/createconfirmation hook. - HTTP transport defaults to
127.0.0.1; non-loopback requires--http-bearer-token; per-requestOriginallowlist + bearer check. catalog.server.urlvalidated against private-CIDR rules (RFC1918, RFC4193, link-local, CGNAT, multicast, IPv4-mapped IPv6, loopback) unlessCARDANO402_ALLOW_INSECURE=true.endpoint.pathrejected if it contains.., NUL, whitespace/CRLF, an absolute URL, or//host/....- Per-tool mainnet opt-in via
--mainnet-confirmed-tools.
Workarounds for 0.1.1 users
- Do not run with
--transport httpon an untrusted network; use--transport stdio(default). - Only point the server at catalogs you control or have audited.
- Use a low-balance hot wallet, never your main wallet.
- Avoid
MAINNET=trueuntil upgraded to 0.1.2.
🎯 Affected products1
- npm/@cardano402/mcp-server:<= 0.1.1