javadoc-mcp-server
by bitfist
Overview
A Spring AI-powered Model Context Protocol (MCP) server that provides AI assistants with seamless access to Java library documentation by fetching, converting, and caching Javadoc from Maven artifacts.
Installation
./gradlew bootRunSecurity Notes
The server has a critical path traversal vulnerability during Javadoc JAR extraction. The `extractJavaDocJar` function in `DefaultJavadocProvider.kt` does not sufficiently sanitize `entry.name` from the `ZipInputStream` before resolving the target path using `Path.resolve`. This allows a maliciously crafted Javadoc JAR to write files to arbitrary locations on the server's file system, potentially leading to remote code execution or data corruption/exfiltration. Additionally, while less severe, user-controlled input `fullyQualifiedClassName` is used to construct file paths, which could lead to reading unintended files within the extracted Javadoc directory structure if not carefully validated by the AI calling the tool.
Similar Servers
mcp-server
Provides a Model Context Protocol (MCP) server for AI agents to search and retrieve curated documentation for the Strands Agents framework, facilitating AI coding assistance.
easy-code-reader
Provides a Model Context Protocol (MCP) server for AI assistants to intelligently read Java source code from local projects and Maven dependencies, supporting decompilation and multi-module analysis.
mcp-codestyle-server
Provides code template search and retrieval tools for IDEs and AI agents via the Model Context Protocol (MCP).
mcp-annotated-java-sdk
Annotation-driven framework for building Model Context Protocol (MCP) servers in Java, simplifying the definition and integration of resources, prompts, and tools for LLM applications.