Summary
The AuthMiddleware.validateRequest() method in src/mcp/auth/AuthMiddleware.ts uses direct === comparison for Bearer token validation. This is vulnerable to timing attacks (CWE-208) where an attacker can extract the secret token byte-by-byte by measuring response time differences.
Location
- File:
src/mcp/auth/AuthMiddleware.ts, line 22
- Code:
return parsed.token === this.authToken;
Impact
An attacker with network access to the MCP server endpoint can potentially extract the authentication token through statistical analysis of response timing. The === operator in JavaScript/TypeScript short-circuits on the first differing character, leaking information about how many leading characters match.
Suggested Fix
Replace === with crypto.timingSafeEqual() using SHA-256 digests to ensure constant-time comparison regardless of input length.
Found by SpiderShield security scanner
Summary
The
AuthMiddleware.validateRequest()method insrc/mcp/auth/AuthMiddleware.tsuses direct===comparison for Bearer token validation. This is vulnerable to timing attacks (CWE-208) where an attacker can extract the secret token byte-by-byte by measuring response time differences.Location
src/mcp/auth/AuthMiddleware.ts, line 22return parsed.token === this.authToken;Impact
An attacker with network access to the MCP server endpoint can potentially extract the authentication token through statistical analysis of response timing. The
===operator in JavaScript/TypeScript short-circuits on the first differing character, leaking information about how many leading characters match.Suggested Fix
Replace
===withcrypto.timingSafeEqual()using SHA-256 digests to ensure constant-time comparison regardless of input length.Found by SpiderShield security scanner