Mattermost Proxy

Proxy wrapping the official Mattermost MCP server with automatic token extraction from the desktop client.

GitHub
0/100
Critical
0Tools
7Findings
1Stars
Downloads
Mar 22, 2026Last Scanned

Score Breakdown5 categories

</>Code
75
Dependencies
100
Config
0
Description
100
Behavior
100

OWASP MCP Top 10 Coverage

MCP10-supply-chainMCP10-supply-chainFail
MCP02-tool-poisoningMCP02-tool-poisoningPass
MCP07-insecure-configMCP07-insecure-configFail
MCP08-dependency-vulnMCP08-dependency-vulnPass
MCP01-prompt-injectionMCP01-prompt-injectionPass
MCP03-command-injectionMCP03-command-injectionFail
MCP04-data-exfiltrationMCP04-data-exfiltrationFail
MCP09-logging-monitoringMCP09-logging-monitoringPass
MCP05-privilege-escalationMCP05-privilege-escalationFail
MCP06-excessive-permissionsMCP06-excessive-permissionsPass

Findings7

5critical
1high
0medium
1low
0informational
criticalK8Cross-Boundary Credential SharingMCP05-privilege-escalationAML.T0054
Pattern "(return|respond|output|result).*(?:token|credential|api[_\s-]?key|secret|password|bearer)" matched in source_code: "Result = await extractToken" (at position 697)
Never forward, share, or embed credentials across trust boundaries. Use OAuth token exchange (RFC 8693) to create scoped, delegated tokens instead of passing original credentials. Never include credentials in tool responses. Required by ISO 27001 A.5.17 and OWASP ASI03.
criticalP4TLS Certificate Validation BypassMCP07-insecure-configT1557
Pattern "NODE_TLS_REJECT_UNAUTHORIZED\s*[=:]\s*["']?0["']?" matched in source_code: "NODE_TLS_REJECT_UNAUTHORIZED = "0"" (at position 457)
Never disable TLS certificate validation in MCP server code or container configuration. For self-signed certificates in development, configure proper CA trust stores: set NODE_EXTRA_CA_CERTS for Node.js, REQUESTS_CA_BUNDLE for Python, or mount CA certificates into the container trust store. In Kubernetes, use cert-manager for automated TLS certificate management. Disabling TLS validation enables man-in-the-middle attacks on all MCP server communications including tool results and credential exchanges.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "(?:mcp|fastmcp|langchain-mcp|llama-index-mcp)(?:>=|~=|==)?(?!\d)" matched in source_code: "Mcp" (at position 216)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
criticalC1Command InjectionMCP03-command-injectionAML.T0054
Pattern "`[^`]+`" matched in source_code: "`[mattermost-mcp-proxy] ${msg}\n`" (at position 304)
Replace exec()/execSync() with execFile() and pass arguments as an array, never as a string. Validate all inputs against an allowlist before use in any shell context. For subprocess.run, always pass a list and shell=False.
criticalO2HTTP Header Covert ChannelMCP04-data-exfiltrationAML.T0057
Pattern "(?:User-Agent|user_agent)\s*[:=]\s*(?:[^'"\s]*(?:\$\{|\+|Buffer|encode|btoa|base64|secret|token|env))" matched in source_code: "User-Agent: ${" (at position 1085)
Never include application secrets, environment variables, or user data in HTTP headers of outbound requests. Use a strict allowlist of headers for outbound HTTP calls. Log all outbound HTTP requests including full headers for audit purposes. Implement egress filtering that inspects both request bodies AND headers.
highI15Transport Session SecurityMCP07-insecure-configAML.T0054
Pattern "allowInsecure|rejectUnauthorized\s*[:=]\s*false|NODE_TLS_REJECT_UNAUTHORIZED\s*[:=]\s*["']?0" matched in source_code: "NODE_TLS_REJECT_UNAUTHORIZED = "0" (at position 457)
Use HTTPS for all MCP Streamable HTTP endpoints. Generate cryptographically random session IDs (min 128 bits entropy). Do not accept session IDs from user input (CVE-2025-6515). Validate TLS certificates — do not disable certificate verification.
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.

Security Category Deep Dive

Sub-Category Tree · Remediation Roadmap · Attack Stories · Compliance Overlay · ATLAS Techniques · Maturity Model

Prompt Injection
Prompt & context manipulation attacks
69
MATURITY
14
RULES
5
SUB-CATS
1
GAPS
64%
IMPL.
56
TESTS
1
STORIES
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence