v0.2.0 · live
CAPFRAME
← leaderboard/rank #76
§ serverhttpfindings.v2

NYC Subway Info MCP

https://subwayinfo.nyc/mcp

Score
C54
Findings
23
Tools
23
Last scan
2026-06-05

Severity breakdown

Critical0
High0
Medium23
Low0
Info0

Worst finding

Tool `mta_get_arrivals` accepts unconstrained string input

· mta_get_arrivals

The following string parameter(s) have no `maxLength` constraint: `direction`, `line`, `station_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

All 23 findings

  1. medium
    Tool `mta_get_arrivals` accepts unconstrained string input· mta_get_arrivalsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `direction`, `line`, `station_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  2. medium
    Tool `mta_get_line_status` accepts unconstrained string input· mta_get_line_statusunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `line`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `mta_list_alerts` accepts unconstrained string input· mta_list_alertsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `alert_type`, `line`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `mta_search_stations` accepts unconstrained string input· mta_search_stationsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `line`, `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `mta_get_station_info` accepts unconstrained string input· mta_get_station_infounconstrained input

    The following string parameter(s) have no `maxLength` constraint: `station_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `mta_plan_trip` accepts unconstrained string input· mta_plan_tripunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `destination_station_id`, `origin_station_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `mta_get_planned_work` accepts unconstrained string input· mta_get_planned_workunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `line`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  8. medium
    Tool `bus_list_alerts` accepts unconstrained string input· bus_list_alertsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `route`, `severity`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `bus_get_arrivals` accepts unconstrained string input· bus_get_arrivalsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `direction`, `route`, `stop_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  10. medium
    Tool `bus_get_route_info` accepts unconstrained string input· bus_get_route_infounconstrained input

    The following string parameter(s) have no `maxLength` constraint: `route_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  11. medium
    Tool `bus_search_stops` accepts unconstrained string input· bus_search_stopsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `borough`, `query`, `route`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  12. medium
    Tool `ferry_get_arrivals` accepts unconstrained string input· ferry_get_arrivalsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `direction`, `landing_id`, `route`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `ferry_list_alerts` accepts unconstrained string input· ferry_list_alertsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `route`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  14. medium
    Tool `ferry_search_landings` accepts unconstrained string input· ferry_search_landingsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `borough`, `query`, `route`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  15. medium
    Tool `ferry_get_routes` accepts unconstrained string input· ferry_get_routesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `route`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `bike_get_station_status` accepts unconstrained string input· bike_get_station_statusunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `station_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  17. medium
    Tool `bike_search_stations` accepts unconstrained string input· bike_search_stationsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `borough`, `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  18. medium
    Tool `bike_get_availability_summary` accepts unconstrained string input· bike_get_availability_summaryunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `borough`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `rail_get_departures` accepts unconstrained string input· rail_get_departuresunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `direction`, `station_id`, `system`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  20. medium
    Tool `rail_list_alerts` accepts unconstrained string input· rail_list_alertsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `severity`, `system`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `rail_search_stations` accepts unconstrained string input· rail_search_stationsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `branch`, `query`, `system`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  22. medium
    Tool `rail_get_station_info` accepts unconstrained string input· rail_get_station_infounconstrained input

    The following string parameter(s) have no `maxLength` constraint: `station_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  23. medium
    Tool `transit_ask` accepts unconstrained string input· transit_askunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `location`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source http live HTTP MCP endpoint, classified against every rule. Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.