mcp-searxng@1.6.0

MCP server for SearXNG integration

  • latest version

    1.11.1

  • latest non vulnerable version

  • first published

    1 years ago

  • latest version published

    1 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the mcp-searxng package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Server-side Request Forgery (SSRF)

    mcp-searxng is a MCP server for SearXNG integration

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the web_url_read process due to insufficient validation in the assertUrlAllowed function. An attacker can access internal network resources and exfiltrate sensitive data by supplying a crafted URL that resolves to a private or loopback IP address via DNS, bypassing hostname string checks. This is only exploitable if the server is running in default HTTP mode with authentication disabled or if an AI agent connected to the server can be influenced to call web_url_read with attacker-controlled input.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade mcp-searxng to version 1.7.1 or higher.

    <1.7.1
    • H
    Allocation of Resources Without Limits or Throttling

    mcp-searxng is a MCP server for SearXNG integration

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the web_url_read process. An attacker can cause excessive memory and CPU consumption by supplying a specially crafted URL that leads the server to read an unbounded HTTP response body, potentially rendering the server unavailable to legitimate users.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade mcp-searxng to version 1.7.1 or higher.

    <1.7.1