[FALSE-NEGATIVE] http/exposures/apis/exposed-mcp-server.yaml

[domwhewell-sage]

Template IDs or paths

- http/exposures/apis/exposed-mcp-server.yaml

Environment

- OS: Kali
- Nuclei: 3.4.4

Steps To Reproduce

1. Create an MCP server on port 8000
2. Browse to the SSE endpoint and obtain a session_id for the messages endpoint
3. Run nuclei -t http/exposures/apis/exposed-mcp-server.yaml --target http://localhost:8000/v1/mcp/messages/?session_id=<sesion_id>

Relevant dumped responses

All the payloads that are sent to the server return

HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 35
Content-Type: application/json
Date: Sat, 07 Jun 2025 15:44:20 GMT
Server: uvicorn

{"error":"Could not parse message"}

Anything else?

JSON-RPC can have positional parameters (which are used in this template) or named parameters (Changing to "params": {} should fix the 400 response)

Even if if the template is changed to include both positional parameters and named parameters the MCP protocol spec states that the response will be a 202 Accepted so this template would fail to detect that

I believe if its updated to send a POST InitializeRequest to the MCP endpoint and the matchers should be updated to detect an InitializeResult (The Mcp-Session-Id looks like its optional from the spec) (See sequence diagram)

[DhiyaneshGeek]

Hi @domwhewell-sage

i have raised PR #12293

Let me know if this fixes the issue

Thanks for raising the issue :)

[domwhewell-sage]

Hi @DhiyaneshGeek,

This is the response I get from the MCP server now

[DBG] [exposed-mcp-server] Dumped HTTP response http://localhost:9001/messages/?session_id=154979cf6053492ca106cf2b9cb8e8bd

HTTP/1.1 202 Accepted
Connection: close
Content-Length: 8
Date: Tue, 10 Jun 2025 10:51:08 GMT
Server: uvicorn

Accepted

And the matchers will not work.

Even if if the template is changed to include both positional parameters and named parameters the MCP protocol spec states that the response will be a 202 Accepted so this template would fail to detect that

I believe if its updated to send a POST InitializeRequest to the MCP endpoint and the matchers should be updated to detect an InitializeResult (The Mcp-Session-Id looks like its optional from the spec) (See sequence diagram)

[DhiyaneshGeek]

Hi @domwhewell-sage

Running on the {{RootURL}} also produces the same result ?

[DhiyaneshGeek]

Also i too see you raised PR #12268

[domwhewell-sage]

Running on the {{RootURL}} also produces the same result ?

As its an SSE server it wont accept these JSON-RPC POST requests to its {{RootURL}}

Also i too see you raised PR #12268

Yes that one detects these SSE servers, and I left it separate to this template as this should be able to detect Streamable HTTP servers

[DhiyaneshGeek]

Hi @domwhewell-sage

Understood,

So we will have separate template for SSE Server and i'll get this matcher fixed for the older template

Hope this works ?

Thanks

[domwhewell-sage]

Yeh that sounds good to me. I'm happy to submit PR for this template (I didn't want to change something that had been verified)