In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade @kozou/core to version 1.8.1 or higher.
@kozou/core is a Kozou core: Schema Context, type definitions, UI Hints zod schema, DataAdapter interface.
Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insufficient validation of the Host and Origin headers in the MCP HTTP server, unbounded request-body buffering, improper transaction handling for read requests, and default network exposure of unauthenticated development surfaces. An attacker can gain unauthorized access to sensitive schema metadata, execute exposed functions with elevated privileges, exhaust server memory, or perform unintended write operations by sending crafted HTTP requests or exploiting network exposure. This is only exploitable if the MCP HTTP server or Admin UI is accessible from an untrusted network, or if the opt-in call execution tool is enabled in a non-loopback or unauthenticated deployment.
This vulnerability can be mitigated by binding the Admin UI and MCP HTTP server to loopback and publishing their host ports on 127.0.0.1 only, not enabling the MCP call execution tool on non-loopback or unauthenticated deployments, placing an authenticating reverse proxy with Host/Origin validation and request-body limits in front of any non-loopback deployment, and changing the demo database's default credentials and restricting its port.