ICUICU
critical

@sylphx/pdf-reader-mcp

v2.3.0

An MCP server providing tools to read PDF files.

npmshtse8First seen Feb 23, 2026

12

Total

5

Critical

6

High

1

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    941: 
    942: // src/index.ts
>>> 943: var transportType = process.env["MCP_TRANSPORT"] ?? "stdio";
    944: var httpPort = Number.parseInt(process.env["MCP_HTTP_PORT"] ?? "8080", 10);
    945: var httpHost = process.env["MCP_HTTP_HOST"] ?? "0.0.0.0";
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    942: // src/index.ts
    943: var transportType = process.env["MCP_TRANSPORT"] ?? "stdio";
>>> 944: var httpPort = Number.parseInt(process.env["MCP_HTTP_PORT"] ?? "8080", 10);
    945: var httpHost = process.env["MCP_HTTP_HOST"] ?? "0.0.0.0";
    946: var apiKey = process.env["MCP_API_KEY"];
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    943: var transportType = process.env["MCP_TRANSPORT"] ?? "stdio";
    944: var httpPort = Number.parseInt(process.env["MCP_HTTP_PORT"] ?? "8080", 10);
>>> 945: var httpHost = process.env["MCP_HTTP_HOST"] ?? "0.0.0.0";
    946: var apiKey = process.env["MCP_API_KEY"];
    947: function createTransport() {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    944: var httpPort = Number.parseInt(process.env["MCP_HTTP_PORT"] ?? "8080", 10);
    945: var httpHost = process.env["MCP_HTTP_HOST"] ?? "0.0.0.0";
>>> 946: var apiKey = process.env["MCP_API_KEY"];
    947: function createTransport() {
    948:   if (transportType === "http") {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    971:     }
    972:     console.log("[PDF Reader MCP] Project root:", process.cwd());
>>> 973:   } else if (process.env["DEBUG_MCP"]) {
    974:     console.error("[PDF Reader MCP] Server running on stdio");
    975:     console.error("[PDF Reader MCP] Project root:", process.cwd());
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: u�ZZ+a��A�v��*'���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: u�ZZ+a��A�v��*'���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��?��ݕ�����t�_

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �ק�'�M��y����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: �ק�'�M��y����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��?��ݕ�����t�_

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive

Scan History

DateRiskFindings
Feb 25, 2026critical12
Feb 23, 2026critical12