mcphub

CRITICAL RISKS: 1. Remote Code Execution (RCE) via `ServerConfig` 'command' and 'args' fields, allowing arbitrary command execution on the host system. This is a very high-severity vulnerability if server configuration can be modified by an attacker or unauthorized user. 2. DXT file uploads (ZIP archives) pose a high risk for path traversal and arbitrary file writes/execution due to inadequate sandboxing during extraction and processing. 3. Parsing of user-controlled base64-decoded JSON from the `state` parameter in OAuth callbacks could be vulnerable to prototype pollution. 4. The JWT_SECRET falls back to a temporary random key if not explicitly set, creating a critical security flaw in production as it leads to session invalidation on restarts and potential session hijacking if guessed or deduced. 5. Public OAuth dynamic client registration (RFC 7591) without authentication (default config) requires careful security considerations. 6. The `OpenAPIClient`'s `passthroughHeaders` could expose sensitive information or allow injection if not explicitly managed.