Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published server.json. Server-side validation in internal/validators/validators.go (validateWebsiteURL) only checks that the URL parses, is absolute, and uses the https scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted href attribute via innerHTML, using a homegrown escapeHtml helper that performs the standard textContent → innerHTML round-trip. Per the HTML serialisation algorithm, that round-trip encodes only &, <, > and U+00A0 inside text nodes - it does not encode " or '. A literal " in websiteUrl therefore breaks out of the href attribute, allowing arbitrary on* event handlers to be appended to the same <a> element. The Content-Security-Policy on / is script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com, so the injected event handlers execute.
Any user able to obtain a publish token (e.g. via POST /v0/auth/github-at with their own GitHub account, or POST /v0/auth/none on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage.
Affected component
- Validator:
internal/validators/validators.go-validateWebsiteURL(lines 153-199) - Sink:
internal/api/handlers/v0/ui_index.html-toggleDetails(card, item)at line 432, thehrefattribute built aroundescapeHtml(server.websiteUrl) - Helper:
escapeHtmldefined atinternal/api/handlers/v0/ui_index.htmllines 494-498
Proof of concept
- Obtain a Registry JWT for any namespace you control (a GitHub OAuth exchange against a throwaway account suffices):
TOKEN=$(curl -sS -X POST https://registry.modelcontextprotocol.io/v0/auth/github-at \
-H 'Content-Type: application/json' \
-d '{"github_token":"<gh-pat>"}' | jq -r .registry_token)- Publish a server with a poisoned
websiteUrl. The literal"is preserved end-to-end:
curl -sS -X POST https://registry.modelcontextprotocol.io/v0/publish \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
--data-binary @- <<'EOF'
{
"$schema": "https://static.modelcontextprotocol.io/schemas/2025-09-29/server.schema.json",
"name": "io.github.<your-account>/xss-poc",
"version": "0.0.1",
"description": "hover the website link",
"websiteUrl": "https://example.com/\"onmouseover=alert(document.domain)//"
}
EOF- Visit
https://registry.modelcontextprotocol.io/, search forxss-poc, click the card to expand it, then hover the Website link in the details panel. The injectedonmouseoverfires andalert(document.domain)runs on theregistry.modelcontextprotocol.ioorigin.
Why server-side validation does not catch this
Go's net/url.Parse accepts literal " in the path component:
input="https://example.com/\"onmouseover=alert(1)//" IsAbs=true Scheme="https" Path="/\"onmouseover=alert(1)//"Neither the Huma format:"uri" annotation nor validateWebsiteURL's scheme/IsAbs triplet rejects this string. The architecture's existing protection - repository.url is regex-locked to ^https?://(www\.)?github\.com/[\w.-]+/[\w.-]+/?$ and therefore cannot contain quotes - does not extend to websiteUrl, which has no allowlist.
Why client-side escapeHtml does not catch this
function escapeHtml(text) {
const div = document.createElement('div');
div.textContent = text;
return div.innerHTML;
}Per the HTML5 spec (§13.3 Serialising HTML fragments), the only characters encoded inside the text content of an element are &, <, >, and U+00A0. " and ' are not encoded because in a text-content context they are not special. The helper is therefore safe in element-text contexts (where it is correctly used for name, version, description, etc.) but unsafe inside an attribute value, which is precisely where it is invoked for href on lines 432 and 426.
Impact
- Stored XSS on the official MCP Registry homepage. The malicious entry sits in the public catalogue alongside legitimate ones; any user expanding the entry triggers the payload.
- Because the page is served on the official
registry.modelcontextprotocol.ioorigin, the injected script can: - Read and overwrite
localStorage(baseUrl,customUrl), pinning the user's subsequent reads to an attacker-controlled "Custom" base URL. - Issue any same-origin or cross-origin XHR (
connect-src *is granted). - Phish for Registry JWTs by injecting fake auth flows on the trusted origin.
- The CSP
script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.comdoes not block this because'unsafe-inline'permits inline event-handler attributes.
Suggested remediation (any one suffices)
- Replace the homegrown
escapeHtmlwith an attribute-safe encoder that also escapes",', backtick, and=- the OWASP HTML attribute-encoding rule. - Avoid building the
hrefvia string templates. UsesetAttribute('href', value)instead -setAttributeis not subject to HTML tokenisation, so no breakout is possible. - Tighten
validateWebsiteURLto reject any URL whose raw bytes contain",',<,>,,\t, or\n, or - conservatively - store the canonical re-serialised form (parsedURL.String()percent-encodes such characters in the path). - Drop
'unsafe-inline'fromscript-srcafter auditing the inline scripts on the page.
Approach (3) is the smallest server-side change and immediately neutralises the exploit for any new publishes; approaches (1) or (2) close the class of bug at the sink so future fields with similar patterns are safe by default.
AnalysisAI
Stored cross-site scripting in MCP Registry's catalogue UI allows any user with a publish token to inject arbitrary event handlers via the websiteUrl field by breaking out of an href attribute with an unescaped double-quote character. The server-side URL validator accepts quotes and the client-side escapeHtml helper fails to encode them in attribute context, enabling attackers to execute JavaScript on the registry.modelcontextprotocol.io origin with access to localStorage, XHR, and auth tokens. Vendor-released patch version 1.7.7 available; actively confirmed via proof-of-concept.
Technical ContextAI
The vulnerability stems from a mismatch between HTML parsing and serialization contexts. The Go net/url.Parse function in internal/validators/validators.go accepts literal double-quotes in URL path components without rejection, and the existing validateWebsiteURL function only checks scheme, absoluteness, and parseability - not RFC 3986 character restrictions. The client-side sink is the homegrown escapeHtml function in internal/api/handlers/v0/ui_index.html (lines 494-498), which performs a textContent → innerHTML round-trip. Per HTML5 serialization spec §13.3, this round-trip encodes only &, <, >, and U+00A0 within text nodes; " and ' are not encoded because they are not special in text-content context. When the escaped value is then interpolated into a double-quoted href attribute via string concatenation on line 432, the literal " breaks the attribute boundary, allowing subsequent characters (e.g., onmouseover=alert(1)//) to be parsed as attribute syntax. The CSP policy script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com explicitly permits 'unsafe-inline', which includes inline event handlers, so the injected payload executes. The attack surface is publisher-controlled via the server.json websiteUrl field, accessible to any user who obtains a Registry JWT through /v0/auth/github-at (GitHub OAuth) or /v0/auth/none (if anonymous auth is enabled). The poisoned entry is then displayed to all visitors of the catalogue UI at GET /.
RemediationAI
Upgrade to MCP Registry version 1.7.7 or later, which implements server-side validation rejecting URLs containing quote characters (", '), angle brackets (<, >), whitespace (space, tab, newline, carriage return), and other problematic characters in the websiteUrl field. The patch adds an explicit character-set check in internal/validators/validators.go that rejects invalid characters and instructs publishers to percent-encode such characters if needed (e.g., %20 for space). The fix is applied via commit 78b7bbde07948049b916d76b4769faee461ff930 and PR #1249. For deployments unable to upgrade immediately, apply compensating controls: (1) Disable the /v0/publish endpoint or restrict it to trusted publishers only via authentication or IP allowlisting, preventing untrusted users from planting poisoned entries. (2) Remove 'unsafe-inline' from the script-src CSP directive after auditing all inline scripts on the page, preventing inline event handlers from executing even if attribute-breakout is achieved. (3) Implement Content-Security-Policy stricter than the current policy, using a nonce-based or hash-based approach for legitimate inline scripts. (4) Use DOM attribute-setting methods (element.setAttribute('href', value)) instead of string interpolation for URL attributes in client-side code, as setAttribute bypasses HTML tokenization. Monitor published entries for suspicious websiteUrl values containing special characters, and remove or revoke access for malicious publishers.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30487
GHSA-rqv2-m695-f8j4