ICUICU
critical

@modelcontextprotocol/server-memory

v2026.1.26

MCP server for enabling memory for Claude through a knowledge graph

npmpcarletonFirst seen Feb 22, 2026

10

Total

4

Critical

4

High

2

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13:         // Custom path provided, use it as-is (with absolute path resolution)
    14:         return path.isAbsolute(process.env.MEMORY_FILE_PATH)
>>> 15:             ? process.env.MEMORY_FILE_PATH
    16:             : path.join(path.dirname(fileURLToPath(import.meta.url)), process.env.MEMORY_FILE_PATH);
    17:     }
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    12:     if (process.env.MEMORY_FILE_PATH) {
    13:         // Custom path provided, use it as-is (with absolute path resolution)
>>> 14:         return path.isAbsolute(process.env.MEMORY_FILE_PATH)
    15:             ? process.env.MEMORY_FILE_PATH
    16:             : path.join(path.dirname(fileURLToPath(import.meta.url)), process.env.MEMORY_FILE_PATH);
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    14:         return path.isAbsolute(process.env.MEMORY_FILE_PATH)
    15:             ? process.env.MEMORY_FILE_PATH
>>> 16:             : path.join(path.dirname(fileURLToPath(import.meta.url)), process.env.MEMORY_FILE_PATH);
    17:     }
    18:     // No custom path set, check for backward compatibility migration
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    10: // Handle backward compatibility: migrate memory.json to memory.jsonl if needed
    11: export async function ensureMemoryFilePath() {
>>> 12:     if (process.env.MEMORY_FILE_PATH) {
    13:         // Custom path provided, use it as-is (with absolute path resolution)
    14:         return path.isAbsolute(process.env.MEMORY_FILE_PATH)
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: z{.�����)^=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: z{.�����)^=�a

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical10
Feb 23, 2026critical10
Feb 22, 2026critical10