inspector

The server component (MCP Inspector Proxy) presents critical security risks. It directly parses untrusted JSON strings from URL query parameters ('query.env') and HTTP headers ('x-custom-auth-headers', 'x-mcp-proxy-auth') using `JSON.parse`. This is a severe JSON injection vulnerability, potentially leading to prototype pollution or remote code execution, depending on the JavaScript runtime. Furthermore, the proxy functionality directly accepts a server URL from query parameters ('query.url') and uses it to initiate connections (`SSEClientTransport`, `StreamableHTTPClientTransport`). This creates a Server-Side Request Forgery (SSRF) vulnerability, allowing an attacker to force the proxy to make requests to arbitrary internal or external systems. The use of `shell-quote` to parse arguments from query parameters (`query.args`) for spawning external commands also adds a potential command injection risk. While a session token is generated on startup for proxy authentication, it can be bypassed using the `DANGEROUSLY_OMIT_AUTH` environment variable, which could lead to unauthorized access if misconfigured. These vulnerabilities make it extremely unsafe to run in any environment where it might be exposed to untrusted users or the public internet.