Fritz!Box

Manage AVM Fritz!Box routers over TR-064 with curated and generic tools for network devices, WiFi, security audits, and port forwarding.

security
GitHub
0Tools
9Findings
0Stars
Mar 24, 2026Last Scanned
2 critical · 5 high · 1 medium · 1 low findings detected

Security Category Deep Dive

Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence

Findings9

2critical
5high
1medium
1low

Critical2

criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "MCP" (at position 64)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalK14Agent Credential Propagation via Shared StateMCP05-privilege-escalationAML.T0054
Pattern "(process\.env|os\.environ|setenv|putenv).*(?:token|credential|api[_\s-]?key|secret|password)" matched in source_code: "os.environ["FRITZBOX_PASSWORD" (at position 1453)
Never write credentials to shared agent state. Use credential vaults (HashiCorp Vault, AWS Secrets Manager) with per-agent scoped access. Implement OAuth token exchange (RFC 8693) for cross-agent authorization. Redact credentials from all agent outputs before writing to shared memory. Required by OWASP ASI03/ASI07 and MAESTRO L7.

High5

highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
[AST taint — Python] environment source "os.environ" (L410) → assignment(L410) → ssrf sink "session.post(f"http://{host}/data.lua", data={"sid": sid, "p" (L278). HTTP POST with user-controlled URL. Module: requests. Known sanitizers: validate_url.
Validate URLs against an allowlist of permitted hosts. Use URL parsing to verify scheme and host before requesting.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
[AST taint — Python] environment source "os.environ" (L410) → assignment(L410) → ssrf sink "session.post(f"http://{host}/data.lua", data=payload)" (L427). HTTP POST with user-controlled URL. Module: requests. Known sanitizers: validate_url.
Validate URLs against an allowlist of permitted hosts. Use URL parsing to verify scheme and host before requesting.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
[AST taint — Python] environment source "os.environ" (L410) → assignment(L410) → ssrf sink "s.get(f"http://{host}/login_sid.lua?version=2")" (L89). HTTP GET with user-controlled URL. Module: requests. Known sanitizers: validate_url.
Validate URLs against an allowlist of permitted hosts. Use URL parsing to verify scheme and host before requesting.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "mcp@null" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highC3Server-Side Request Forgery (SSRF)MCP04-data-exfiltrationAML.T0057
[AST taint — Python] environment source "os.environ" (L410) → assignment(L410) → ssrf sink "s.post(f"http://{host}/login_sid.lua", data={"username": use" (L104). HTTP POST with user-controlled URL. Module: requests. Known sanitizers: validate_url.
Validate URLs against an allowlist of permitted hosts. Use URL parsing to verify scheme and host before requesting.

Medium1

mediumK17Missing Timeout or Circuit BreakerMCP07-insecure-configAML.T0054
Pattern "(?:query|execute|find|select|aggregate)\s*\((?!.*(?:timeout|maxTimeMS|statement_timeout|deadline|cancel))" matched in source_code: "find(" (at position 2653)
Add timeouts to ALL external calls: HTTP requests (30s), database queries (10s), subprocess execution (60s), and MCP tool calls (30s). Implement circuit breakers that open after N consecutive failures (e.g., opossum, cockatiel). Use AbortSignal for cancellable operations. Required by EU AI Act Art. 15 and OWASP ASI08.

Low1

lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.