We Found and Fixed Security Vulnerabilities in 5 Popular Open-Source Projects
> TL;DR: We used SpiderShield to scan thousands of MCP servers and open-source projects. We found real security vulnerabilities, submitted fixes, and 5 have been merged by maintainers — in projects with 86,000+ combined GitHub stars.
---
What We Did
SpiderShield is an open-source security scanner for MCP servers and AI tools. As part of our ongoing effort to improve ecosystem security, we scan public repositories, verify findings manually, and submit fixes to maintainers.
Out of 37 submitted pull requests across 28 projects, 5 have been merged so far. Here's what we found and fixed.
---
The 5 Merged Fixes
1. upstash/context7 — Path Traversal (CWE-22)
Stars: 49,000+ | Merged: March 19, 2026
Context7 is one of the most popular MCP-adjacent projects. We found that the skill file installation endpoint accepted filenames without path boundary validation. An attacker could craft a filename like ../../etc/cron.d/malicious to write files outside the intended directory.
Fix: Added path validation using resolve() + parent directory check.
2. moeru-ai/airi — Timing Attack (CWE-208)
Stars: 35,000+ | Merged: March 24, 2026
Airi's WebSocket authentication compared tokens using JavaScript's !== operator. This is vulnerable to timing side-channel attacks — an attacker can determine the correct token character-by-character by measuring response time differences.
Fix: Replaced with crypto.timingSafeEqual() for constant-time comparison.
3. topoteretes/cognee — Command Injection (CWE-78)
Merged: March 16, 2026
Cognee used subprocess.run(command, shell=True) with user-influenced input. This allows arbitrary command execution if the input contains shell metacharacters.
Fix: Switched to subprocess.run(args_list, shell=False) with proper argument arrays.
4. agentic-community/mcp-gateway-registry — Shell Injection (CWE-78)
Merged: March 16, 2026
The gateway registry used Node.js execSync() with template literal interpolation, allowing command injection through crafted input.
Fix: Replaced with execFileSync() which passes arguments as an array, eliminating shell interpretation.
5. Flux159/mcp-server-kubernetes — Timing Attack (CWE-208)
Stars: 1,300+ | Merged: March 27, 2026
The Kubernetes MCP server compared authentication tokens using !==. The maintainer requested we add tests, which we did — and the fix was approved the same day.
Fix: crypto.timingSafeEqual() with a unit test.
---
What We Learned
After submitting 37 PRs, here are the patterns that lead to successful merges:
- Single-file fixes get merged fastest. All 5 merged PRs changed 1-2 files.
- Add tests. One maintainer explicitly requested it. We added 6 unit tests and got same-day approval.
- Security fixes are welcome. Maintainers take CWE-classified vulnerabilities seriously.
- Be patient. Some PRs take weeks. The airi PR had 9 review comments before being merged.
- AI code reviewers matter. Projects using CodeRabbit, Gemini Code Assist, or SonarQube have additional quality gates. Pass them all.
---
By the Numbers
| Metric | Value |
|---|---|
| Projects scanned | 15,923 |
| PRs submitted | 37 |
| PRs merged | 5 |
| Combined stars of merged projects | 86,000+ |
| Vulnerability types fixed | CWE-22, CWE-78, CWE-208 |
| Average time to merge | 6 days |
---
Try SpiderShield
SpiderShield is open source and free. Scan your MCP server in one command:
pip install spidershield
spidershield scan /path/to/your/mcp-server
Or check any server's security rating:
spidershield check owner/repo
GitHub: github.com/teehooai/spidershield
---
*All vulnerabilities were responsibly disclosed via GitHub issues before fixes were submitted. We follow coordinated disclosure practices.*