v0.2.0 · live
CAPFRAME
← leaderboard/rank #85
§ serversandboxfindings.v2

MongoDB MCP

npm:mongodb-mcp-server@1.11.0

Score
D2
Findings
36
Tools
25
Last scan
2026-06-05

Severity breakdown

Critical0
High13
Medium23
Low0
Info0

Worst finding

Tool `aggregate-db` accepts an unbounded monetary / quota value

· aggregate-db

The numeric parameter(s) `responseBytesLimit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

All 36 findings

  1. high
    Tool `aggregate-db` accepts an unbounded monetary / quota value· aggregate-dbexcessive agency

    The numeric parameter(s) `responseBytesLimit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  2. high
    Tool `aggregate` accepts an unbounded monetary / quota value· aggregateexcessive agency

    The numeric parameter(s) `responseBytesLimit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  3. high
    Tool `collection-schema` accepts an unbounded monetary / quota value· collection-schemaexcessive agency

    The numeric parameter(s) `responseBytesLimit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  4. high
    Tool `create-collection` name implies a side effect that is not declared· create-collectionexcessive agency

    `create-collection` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  5. high
    Tool `create-index` name implies a side effect that is not declared· create-indexexcessive agency

    `create-index` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  6. high
    Tool `delete-many` name implies a side effect that is not declared· delete-manyexcessive agency

    `delete-many` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  7. high
    Tool `drop-collection` name implies a side effect that is not declared· drop-collectionexcessive agency

    `drop-collection` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  8. high
    Tool `drop-database` name implies a side effect that is not declared· drop-databaseexcessive agency

    `drop-database` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  9. high
    Tool `drop-index` name implies a side effect that is not declared· drop-indexexcessive agency

    `drop-index` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  10. high
    Tool `find` accepts an unbounded monetary / quota value· findexcessive agency

    The numeric parameter(s) `limit`, `responseBytesLimit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  11. high
    Tool `mongodb-logs` accepts an unbounded monetary / quota value· mongodb-logsexcessive agency

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  12. high
    Tool `update-many` name implies a side effect that is not declared· update-manyexcessive agency

    `update-many` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  13. high
    Tool `search-knowledge` accepts an unbounded monetary / quota value· search-knowledgeexcessive agency

    The numeric parameter(s) `limit` have a money/quota-shaped name but no `maximum` constraint. An LLM tricked by indirect-injection can call the tool with arbitrarily large values.

    fix: Add a `maximum` (and ideally `minimum`) to each money/quota numeric, OR enforce the cap via a capframe-bind `--limit` caveat at the agent boundary.

  14. medium
    Tool `aggregate-db` accepts unconstrained string input· aggregate-dbunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  15. medium
    Tool `aggregate` accepts unconstrained string input· aggregateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `collection-indexes` accepts unconstrained string input· collection-indexesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  17. medium
    Tool `collection-schema` accepts unconstrained string input· collection-schemaunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  18. medium
    Tool `collection-storage-size` accepts unconstrained string input· collection-storage-sizeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `connect` accepts unconstrained string input· connectunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `connectionString`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  20. medium
    Tool `count` accepts unconstrained string input· countunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `create-collection` accepts unconstrained string input· create-collectionunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  22. medium
    Tool `create-index` accepts unconstrained string input· create-indexunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`, `name`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  23. medium
    Tool `db-stats` accepts unconstrained string input· db-statsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  24. medium
    Tool `delete-many` accepts unconstrained string input· delete-manyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  25. medium
    Tool `drop-collection` accepts unconstrained string input· drop-collectionunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  26. medium
    Tool `drop-database` accepts unconstrained string input· drop-databaseunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  27. medium
    Tool `drop-index` accepts unconstrained string input· drop-indexunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`, `indexName`, `type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  28. medium
    Tool `explain` accepts unconstrained string input· explainunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`, `verbosity`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  29. medium
    Tool `export` accepts unconstrained string input· exportunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`, `exportTitle`, `jsonExportFormat`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  30. medium
    Tool `find` accepts unconstrained string input· findunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  31. medium
    Tool `insert-many` accepts unconstrained string input· insert-manyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  32. medium
    Tool `list-collections` accepts unconstrained string input· list-collectionsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  33. medium
    Tool `mongodb-logs` accepts unconstrained string input· mongodb-logsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  34. medium
    Tool `rename-collection` accepts unconstrained string input· rename-collectionunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`, `newName`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  35. medium
    Tool `update-many` accepts unconstrained string input· update-manyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `collection`, `database`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  36. medium
    Tool `search-knowledge` accepts unconstrained string input· search-knowledgeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.