Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/994910?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/994910?format=api", "purl": "pkg:npm/%40grackle-ai/mcp@0.39.1", "type": "npm", "namespace": "@grackle-ai", "name": "mcp", "version": "0.39.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.70.2", "latest_non_vulnerable_version": "0.70.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91787?format=api", "vulnerability_id": "VCID-m9wj-e596-u3ca", "summary": "@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool\n### Impact\n\nThe `knowledge_search` and `knowledge_get_node` MCP tools are included in `SCOPED_TOOLS` (visible to scoped agents) but their handlers do not receive `authContext` and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary `workspaceId` parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries.\n\nThis is a **cross-workspace data leakage** vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph data and scoped agents are used.\n\n**Affected code:**\n- `packages/mcp/src/tools/knowledge.ts:146-169` (knowledge_search handler)\n- `packages/mcp/src/tools/knowledge.ts:244-283` (knowledge_get_node handler)\n- `packages/mcp/src/tool-scoping.ts:11` (both tools listed in SCOPED_TOOLS)\n\n**Contrast with correct implementation:** `knowledge_create_node` (same file, lines 334-357) properly receives `authContext` and overrides the user-supplied `workspaceId` for scoped callers.\n\n### Design Note\n\nCross-workspace knowledge sharing is a legitimate future feature — agents working across different repos may need to collaborate and share knowledge. However, this access should be **opt-in with explicit grants**, not an implicit bypass. The immediate fix locks scoped agents to their own workspace. A future design could introduce:\n- Workspace-level \"share knowledge with\" settings\n- A `cross_workspace` scope on scoped tokens\n- Explicit `workspaceIds` (plural) in the auth context\n\n### Patches\n\n**Fix:** Add `authContext` parameter to `knowledge_search` and `knowledge_get_node` handlers and enforce workspace scoping, matching the pattern in `knowledge_create_node`:\n```typescript\nconst resolvedWorkspaceId =\n authContext?.type === \"scoped\"\n ? authContext.workspaceId ?? \"\"\n : workspaceId ?? \"\";\n```\n\nWhen cross-workspace collaboration is designed, this check can be relaxed intentionally with proper access controls.\n\n### Workarounds\n\nDo not use scoped agent tokens in multi-workspace deployments until patched. Alternatively, remove `knowledge_search` and `knowledge_get_node` from the `SCOPED_TOOLS` set in `tool-scoping.ts`.\n\n### References\n\n- CWE-284: Improper Access Control\n- File: `packages/mcp/src/tools/knowledge.ts`\n- File: `packages/mcp/src/tool-scoping.ts`", "references": [ { "reference_url": "https://github.com/nick-pape/grackle", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle" }, { "reference_url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-647h-p824-99w7", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-647h-p824-99w7" }, { "reference_url": "https://github.com/advisories/GHSA-647h-p824-99w7", "reference_id": "GHSA-647h-p824-99w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-647h-p824-99w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114139?format=api", "purl": "pkg:npm/%40grackle-ai/mcp@0.70.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/mcp@0.70.2" } ], "aliases": [ "GHSA-647h-p824-99w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m9wj-e596-u3ca" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540grackle-ai/mcp@0.39.1" }