GHSA-XCQX-9JF5-W339 is a high-severity uncontrolled resource consumption vulnerability in mcp-searxng (npm), affecting versions < 1.7.1. It is fixed in 1.7.1.
Unbounded Response Body Read Bypasses URL Size Limit in weburlread Summary The weburlread MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the Content-Length header of a preliminary HEAD request. When a server omits Content-Length, a standard HTTP practice, checkContentLength() returns null, the guard condition short-circuits to false, and response.text() loads the entire response body into memory without any byte cap. An unauthenticated attacker who controls or can redirect to an HTTP endpoint can force the server process to consume unbounded memory and CPU, leading to a Denial of Service. Details weburlread is the entry point (src/index.ts:226-240). It passes the caller-supplied URL directly into readUrlContent() in src/url-reader.ts. Size-limit check (bypassed) checkContentLength() (src/url-reader.ts:243-245) returns null when the HEAD response carries no Content-Length header. Because the guard uses the !== null conjunction, a null result causes the entire check to evaluate as false, and execution falls through without enforcing the configured 5 MiB ceiling. Unbounded sinks A full GET request is then issued (src/url-reader.ts:367) with no streaming byte cap: The full HTML string is subsequently passed to NodeHtmlMarkdown.translate() (src/url-reader.ts:429), which amplifies CPU consumption proportional to the body size. Default exposure weburlread is enabled by default. In HTTP transport mode, authentication is disabled by default, so AV:N/PR:N applies unconditionally. In stdio mode, an attacker can trigger the path via prompt injection to cause the AI model to call the tool with an attacker-controlled URL. PoC Prerequisites Docker installed. Build context: the repository root (npmAI249ihor-sokoliuk_mcp-searxng/). Build the image Run the PoC The container starts two processes: A malicious HTTP server on 127.0.0.1:9799 that responds to HEAD with HTTP 200 and no Content-Length, then responds to GET with a 6,291,456-byte HTML body and no Content-Length. mcp-searxng in HTTP mode (MCPHTTPALLOWPRIVATEURLS=true enables loopback URLs for local reproduction). The PoC script initializes an MCP session and calls: Observed output (Phase 2 confirmation) Remediation Replace both response.text() calls with a streaming reader that aborts once the byte counter exceeds maxContentLengthBytes: Impact This is an Uncontrolled Resource Consumption (DoS) vulnerability. Any network-reachable attacker who can supply a URL to the weburl_read tool can force the mcp-searxng process to allocate memory proportional to an arbitrarily large HTTP response body and burn CPU during HTML-to-Markdown conversion. The attack requires no authentication in the default HTTP transport configuration. In stdio mode, the attack surface is accessible through prompt injection targeting the AI agent. Repeated or concurrent invocations can exhaust process memory and render the MCP server unavailable to all legitimate users. Reproduction artifacts Dockerfile poc.py
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
GHSA-XCQX-9JF5-W339 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.7.1). Upgrading removes the vulnerable code path.
npm
mcp-searxng (< 1.7.1)mcp-searxng → 1.7.1 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-XCQX-9JF5-W339 is reachable in your applications. Explore AI application security for your team.
See if GHSA-XCQX-9JF5-W339 is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-XCQX-9JF5-W339 in your environment →Upgrade mcp-searxng to 1.7.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-XCQX-9JF5-W339 is a high-severity uncontrolled resource consumption vulnerability in mcp-searxng (npm), affecting versions < 1.7.1. It is fixed in 1.7.1. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
GHSA-XCQX-9JF5-W339 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
mcp-searxng (npm) versions < 1.7.1 is affected.
Yes. GHSA-XCQX-9JF5-W339 is fixed in 1.7.1. Upgrade to this version or later.
Whether GHSA-XCQX-9JF5-W339 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade mcp-searxng to 1.7.1 or later.