ICUICU
critical

@nexus2520/bitbucket-mcp-server

v1.4.1

MCP server for Bitbucket API integration - supports both Cloud and Server

npmpdograFirst seen Feb 25, 2026

20

Total

4

Critical

15

High

1

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    15: const BITBUCKET_APP_PASSWORD = process.env.BITBUCKET_APP_PASSWORD;
    16: const BITBUCKET_TOKEN = process.env.BITBUCKET_TOKEN; // For Bitbucket Server
>>> 17: const BITBUCKET_BASE_URL = process.env.BITBUCKET_BASE_URL || 'https://api.bitbucket.org/2.0';
    18: // Check for either app password (Cloud) or token (Server)
    19: if (!BITBUCKET_USERNAME || (!BITBUCKET_APP_PASSWORD && !BITBUCKET_TOKEN)) {
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    12: import { toolDefinitions } from './tools/definitions.js';
    13: // Get environment variables
>>> 14: const BITBUCKET_USERNAME = process.env.BITBUCKET_USERNAME;
    15: const BITBUCKET_APP_PASSWORD = process.env.BITBUCKET_APP_PASSWORD;
    16: const BITBUCKET_TOKEN = process.env.BITBUCKET_TOKEN; // For Bitbucket Server
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13: // Get environment variables
    14: const BITBUCKET_USERNAME = process.env.BITBUCKET_USERNAME;
>>> 15: const BITBUCKET_APP_PASSWORD = process.env.BITBUCKET_APP_PASSWORD;
    16: const BITBUCKET_TOKEN = process.env.BITBUCKET_TOKEN; // For Bitbucket Server
    17: const BITBUCKET_BASE_URL = process.env.BITBUCKET_BASE_URL || 'https://api.bitbucket.org/2.0';
Report false positive
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    14: const BITBUCKET_USERNAME = process.env.BITBUCKET_USERNAME;
    15: const BITBUCKET_APP_PASSWORD = process.env.BITBUCKET_APP_PASSWORD;
>>> 16: const BITBUCKET_TOKEN = process.env.BITBUCKET_TOKEN; // For Bitbucket Server
    17: const BITBUCKET_BASE_URL = process.env.BITBUCKET_BASE_URL || 'https://api.bitbucket.org/2.0';
    18: // Check for either app password (Cloud) or token (Server)
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��C�M�$��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ឴������-'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�)��/x������-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�^�笴(Z��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�^���E�z�^t(Z��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ឴X�x*'���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ�j�!E�h�+h�'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highSC-003Suspicious CommandsMedium ConfidenceLine 0

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    149:     let lastEnd = 0;
    150:     let match;
>>> 151:     while ((match = emRegex.exec(decodedText)) !== null) {
    152:         // Add non-highlighted text before this match
    153:         if (match.index > lastEnd) {
Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ~��jԞ���E�)�{

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���xx��X��םM�m

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ���xx��X��םM�m

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ឴������-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ��rX�x������-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive