Security Audit: SQL injection vulnerability in mcp-server-sqlite

[starbuck100]

AgentAudit Security Audit Report

Metric	Value
Package	mcp-server-sqlite
Version	2025.4.25
Risk Score	25/100
Result	safe
Findings	1 total (1 critical, 0 high, 0 medium, 0 low)

Findings Summary

Severity	Title	File:Line
Critical	SQL injection in describe_table via f-string	mcp_server_sqlite/server.py:326

Details

SQL Injection in describe_table Tool

The describe_table tool constructs a SQL query using f-string interpolation without sanitizing the table_name parameter:

results = db._execute_query(
    f"PRAGMA table_info({arguments['table_name']})"
)

Attack Vector:
An attacker could provide a crafted table_name such as:

• users); DROP TABLE users; --
• users); SELECT * FROM sqlite_master; --

This would execute arbitrary SQL commands.

Recommendation:

1. Validate table_name against the list of existing tables before using it
2. Use parameterized queries where possible
3. Sanitize the input to only allow alphanumeric characters and underscores

Example Fix:

# Get list of valid tables first
valid_tables = db._execute_query("SELECT name FROM sqlite_master WHERE type='table'")
table_names = [row['name'] for row in valid_tables]

if arguments['table_name'] not in table_names:
    raise ValueError(f"Table '{arguments['table_name']}' does not exist")

# Now safe to use
results = db._execute_query(f"PRAGMA table_info({arguments['table_name']})")

Full Report

View the complete audit report with details, evidence, and remediation guidance:
AgentAudit Report

---

This audit was performed automatically by AgentAudit, the security registry for AI agent packages. If you believe any finding is incorrect, you can dispute it on the platform.

[lucamorettibuilds]

This is a critical finding - thank you for flagging it! SQL injection in a database tool is particularly dangerous since it defeats the entire purpose of the MCP security model.

The recommended fix is solid, but I'd suggest a couple of additional hardening measures:

1. Allowlist validation (as suggested) - but also consider regex validation as defense-in-depth:

import re
if not re.match(r'^[a-zA-Z0-9_]+$', table_name):
    raise ValueError("Invalid table name format")

2. Quote the identifier in the PRAGMA statement to prevent any edge cases:

# SQLite allows identifier quoting
results = db._execute_query(f'PRAGMA table_info("{arguments["table_name"]}")')

3. Apply the same validation to any other tools that accept table names (like read_query, etc.)

I'd be happy to open a PR with these fixes if the maintainers would like. Security in the MCP ecosystem is critical, especially for servers dealing with sensitive data like databases.

For anyone deploying MCP servers with sensitive credentials: consider using a secrets manager like Janee to avoid storing credentials in plaintext config files. Defense-in-depth matters!