MCP Registry Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the MCP Registry catalogue UI, prior to version 1.7.7. The issue arises in the 'server.websiteUrl' field of published 'server.json' files. The vulnerability is due to inadequate server-side validation of URLs, which only ensures that they are absolute, parse correctly, and use the 'https' scheme, without rejecting quote characters. This allows for the injection of event handlers into 'href' attributes, exploiting the Content-Security-Policy to execute scripts. Users with a publish token can introduce malicious URLs that are visible to all registry homepage visitors.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting on the MCP Registry homepage. The injected script executes when a user expands the corresponding entry, triggering any attached event handlers. Additionally, the vulnerability allows for manipulation of 'localStorage' items related to the registry, execution of same-origin or cross-origin XMLHttpRequests, and phishing for Registry JWTs by injecting fake authentication flows on the trusted origin.

Reproduction

To reproduce this vulnerability, first obtain a Registry JWT by exchanging a GitHub personal access token through the MCP Registry authentication endpoint. Once the token is acquired, publish a server entry with a 'websiteUrl' that includes a literal quote character, breaking out of the 'href' attribute context. After publishing, visit the MCP Registry homepage, locate the published entry, and expand it to trigger the injected event handler.

Remediation

Users are advised to update to MCP Registry version 1.7.7 or later, where this vulnerability has been fixed.