Critical Security Vulnerabilities: API Credential Exposure and Financial Risk #947

New issue

Closed

opened 2025-10-14 16:29:32 -06:00 by navan · 0 comments

navan commented

2025-10-14 16:29:32 -06:00

Owner

Originally created by @eugene-yaroslavtsev on 4/15/2025

Critical Security Vulnerabilities in claude-task-master

Description

This repository contains several critical security vulnerabilities related to credential handling, lack of API usage controls, and inadequate input validation. These issues create significant financial and security risks for users.

Security Vulnerabilities

1. Insecure Credential Management

The application handles Anthropic and Perplexity API keys (which can incur significant charges) with inadequate protection:

In index.js:

// Line ~29-31
const packageJson = require('./package.json');

// Export the path to the dev.js script for programmatic usage
export const devScriptPath = resolve(__dirname, './scripts/dev.js');

In mcp-server/src/index.js:

// Lines ~37-38
// Start the FastMCP server with increased timeout
await this.server.start({
    transportType: 'stdio',
    timeout: 120000 // 2 minutes timeout (in milliseconds)
});

The MCP server directly accesses environment variables without validation:

In mcp-server/src/tools/utils.js (inferred path):
API keys are likely passed through without sanitization or validation.

Data Flow:

API keys loaded from environment variables (no validation)
Keys passed directly to Anthropic/Perplexity client constructors
API clients exposed through MCP server
No rate limits or usage tracking between credential use and API calls

2. No API Usage Controls

In scripts/modules/ai-services.js (or equivalent):

// Missing rate limiting code in API call functions like callClaude, generateSubtasks, etc.
// Example implementation likely includes direct API calls without:
// - Rate limiting
// - Usage caps
// - Throttling
// - Monitoring

In mcp-server/src/core/direct-functions/expand-task.js:

// When making API calls to generate subtasks, no controls exist to:
// - Limit token usage
// - Prevent excessive spending
// - Monitor for abnormal usage patterns

3. Input Validation Deficiencies

In scripts/modules/commands.js:

// Around line ~300-350 (example location based on file review)
const taskId = parseInt(options.id, 10);
// User input directly passed to AI without sanitization
const prompt = options.prompt;
// ...

In mcp-server/src/tools/expand-task.js:

// User input directly passed to API calls without proper sanitization
// Prompts containing malicious content could lead to prompt injection

4. MCP Server Security Weaknesses

In mcp-server/server.js:

// No authentication or authorization controls
// No credential isolation
// No request validation

In mcp-server/src/tools/index.js:

// Registration of tools without security validation
registerListTasksTool(server);
registerSetTaskStatusTool(server);
registerParsePRDTool(server);
// ...and many others

Technical Impact

Financial Exposure: A malicious prompt or buggy implementation could cause:
- Infinite loops generating API calls
- Excessive token usage
- Thousands of dollars in charges before detection
Credential Theft Risk: The MCP server exposes credentials without proper isolation:
- No secure credential storage
- Credentials in plaintext environment variables
- No credential rotation or validation
Data Security: Lack of input validation enables:
- Prompt injection attacks
- Potential extraction of sensitive information
- Manipulation of task data

End-to-End Data Flow Analysis

Credential Loading:
- .env file → Environment variables → Direct usage in API clients
- No validation, encryption, or secure storage
User Input → API Calls:
- CLI/MCP input → Minimal/no sanitization → Direct API calls
- Missing: input validation, prompt sanitization, rate limiting
API Response Handling:
- Responses parsed without proper error handling
- Missing: response validation, error boundaries, safe parsing
MCP Server Communication:
- Local network service → Direct credential access → API calls
- Missing: authentication, authorization, request validation

Recommendation

Given the severity of these issues, this repository should be:

Immediately archived until critical security fixes are implemented
Updated with explicit security warnings about financial risks
Substantially redesigned to include:
- Secure credential management with proper isolation
- API usage controls including rate limiting and monitoring
- Comprehensive input validation and sanitization
- Proper authentication for the MCP server component

Until these changes are implemented, users face significant financial and security risks when using this tool.

*Originally created by @eugene-yaroslavtsev on 4/15/2025* # Critical Security Vulnerabilities in claude-task-master ## Description This repository contains several critical security vulnerabilities related to credential handling, lack of API usage controls, and inadequate input validation. These issues create significant financial and security risks for users. ## Security Vulnerabilities ### 1. Insecure Credential Management The application handles Anthropic and Perplexity API keys (which can incur significant charges) with inadequate protection: **In `index.js`:** ```javascript // Line ~29-31 const packageJson = require('./package.json'); // Export the path to the dev.js script for programmatic usage export const devScriptPath = resolve(__dirname, './scripts/dev.js'); ``` **In `mcp-server/src/index.js`:** ```javascript // Lines ~37-38 // Start the FastMCP server with increased timeout await this.server.start({ transportType: 'stdio', timeout: 120000 // 2 minutes timeout (in milliseconds) }); ``` The MCP server directly accesses environment variables without validation: **In `mcp-server/src/tools/utils.js` (inferred path):** API keys are likely passed through without sanitization or validation. **Data Flow:** 1. API keys loaded from environment variables (no validation) 2. Keys passed directly to Anthropic/Perplexity client constructors 3. API clients exposed through MCP server 4. No rate limits or usage tracking between credential use and API calls ### 2. No API Usage Controls **In `scripts/modules/ai-services.js` (or equivalent):** ```javascript // Missing rate limiting code in API call functions like callClaude, generateSubtasks, etc. // Example implementation likely includes direct API calls without: // - Rate limiting // - Usage caps // - Throttling // - Monitoring ``` **In `mcp-server/src/core/direct-functions/expand-task.js`:** ```javascript // When making API calls to generate subtasks, no controls exist to: // - Limit token usage // - Prevent excessive spending // - Monitor for abnormal usage patterns ``` ### 3. Input Validation Deficiencies **In `scripts/modules/commands.js`:** ```javascript // Around line ~300-350 (example location based on file review) const taskId = parseInt(options.id, 10); // User input directly passed to AI without sanitization const prompt = options.prompt; // ... ``` **In `mcp-server/src/tools/expand-task.js`:** ```javascript // User input directly passed to API calls without proper sanitization // Prompts containing malicious content could lead to prompt injection ``` ### 4. MCP Server Security Weaknesses **In `mcp-server/server.js`:** ```javascript // No authentication or authorization controls // No credential isolation // No request validation ``` **In `mcp-server/src/tools/index.js`:** ```javascript // Registration of tools without security validation registerListTasksTool(server); registerSetTaskStatusTool(server); registerParsePRDTool(server); // ...and many others ``` ## Technical Impact 1. **Financial Exposure:** A malicious prompt or buggy implementation could cause: - Infinite loops generating API calls - Excessive token usage - Thousands of dollars in charges before detection 2. **Credential Theft Risk:** The MCP server exposes credentials without proper isolation: - No secure credential storage - Credentials in plaintext environment variables - No credential rotation or validation 3. **Data Security:** Lack of input validation enables: - Prompt injection attacks - Potential extraction of sensitive information - Manipulation of task data ## End-to-End Data Flow Analysis 1. **Credential Loading:** - `.env` file → Environment variables → Direct usage in API clients - No validation, encryption, or secure storage 2. **User Input → API Calls:** - CLI/MCP input → Minimal/no sanitization → Direct API calls - Missing: input validation, prompt sanitization, rate limiting 3. **API Response Handling:** - Responses parsed without proper error handling - Missing: response validation, error boundaries, safe parsing 4. **MCP Server Communication:** - Local network service → Direct credential access → API calls - Missing: authentication, authorization, request validation ## Recommendation Given the severity of these issues, this repository should be: 1. Immediately archived until critical security fixes are implemented 2. Updated with explicit security warnings about financial risks 3. Substantially redesigned to include: - Secure credential management with proper isolation - API usage controls including rate limiting and monitoring - Comprehensive input validation and sanitization - Proper authentication for the MCP server component Until these changes are implemented, users face significant financial and security risks when using this tool.