MCP Server implemented in JavaScript using Node.js that demonstrates how to build an MCP server with a custom prompt and custom tools, including one that loads an environment variable from a configuration file, to integrate seamlessly with AI-assisted environments like Cursor IDE.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"mcp-server-node": {
"args": [
"-y",
"@modelcontextprotocol/sdk"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Overview · Features · Installation · Testing with MCP Inspector · Setting Environment Variables for Testing · Integrating with Cursor AI · Using the MCP Tool in Cursor (Agent Mode) · Code Overview · References & Resources · License
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@modelcontextprotocol/sdk' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse
### Summary Cross-client data leak via two distinct issues: (1) reusing a single `StreamableHTTPServerTransport` across multiple client requests, and (2) reusing a single `McpServer`/`Server` instance across multiple transports. Both are most common in stateless deployments. ### Impact This advisory covers two related but distinct vulnerabilities. A deployment may be affected by one or both. #### Issue 1: Transport re-use **What happens:** When a single `StreamableHTTPServerTransport` insta
Anthropic's MCP TypeScript SDK has a ReDoS vulnerability
### Impact A ReDoS vulnerability in the `UriTemplate` class allows attackers to cause denial of service. The `partToRegExp()` function generates a regex pattern with nested quantifiers (`([^/]+(?:,[^/]+)*)`) for exploded template variables (e.g., `{/id*}`, `{?tags*}`), causing catastrophic backtracking on malicious input. **Who is affected:** MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients. **Attack result:** An attacker sen
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default
The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with `StreamableHTTPServerTransport` or `SSEServerTransport` and has not enabled `enableDnsRebindingProtection`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access re
Click any tool to inspect its schema.
add_numbersA predefined prompt that allows AI models to infer the usage of the addition tool
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
Manage Supabase projects — databases, auth, storage, and edge functions
MCP Security Weekly
Get CVE alerts and security updates for Mcp Server Node and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Overview · Features · Installation · Testing with MCP Inspector · Setting Environment Variables for Testing · Integrating with Cursor AI · Using the MCP Tool in Cursor (Agent Mode) · Code Overview · References & Resources · License
MCP (Model Context Protocol) is a framework that allows you to integrate custom tools into AI-assisted development environments—such as Cursor AI. MCP servers expose functionality (like data retrieval or code analysis) so that an LLM-based IDE can call these tools on demand. Learn more about MCP in the Model Context Protocol Introduction.
This project demonstrates an MCP server implemented in JavaScript using Node.js. It defines two tools: add, which takes two numeric inputs and returns their sum, and getApiKey, which retrieves the API key from the API_KEY environment variable. It also provides a predefined prompt add_numbers that allows AI models to infer the usage of the addition tool.
StdioServerTransport for integration with development environments.Clone the Repository
git clone <repository_url>
cd <repository_directory>
Install Dependencies
You can install the project dependencies in one of two ways:
Option 1: Install using the existing package.json
Simply run:
npm install
Option 2: Install dependencies manually
If you prefer, delete the existing package.json and install the required packages manually:
npm install @modelcontextprotocol/sdk zod
Then, update the newly generated package.json file to include the following lines, which enables ES Modules and adds the mcp inspector command:
"type": "module",
"scripts": {
"inspector": "npx @modelcontextprotocol/inspector node ./mcp-server.js"
}
The MCP Inspector is a debugging tool that lets you test your server's tools interactively before integrating with an IDE.
Option 1: Run directly with npx
npx @modelcontextprotocol/inspector node ./mcp-server.js
Option 2: Use the npm script
npm run inspector
This will:
Open the MCP Server Inspector on the browser: http://localhost:6274/
To test the getApiKey tool with different API keys, you can set environment variables before running the inspector:
Linux/macOS (Bash/Zsh):
# Temporary (current session only)
export API_KEY="your-test-key"
npm run inspector
# Or set for single command
API_KEY="your-test-key" npm run inspector
Windows (Command Prompt):
# Set for current session
set API_KEY=your-test-key
npm run inspector
Windows (PowerShell):
... [View full README on GitHub](https://github.com/lucianoayres/mcp-server-node#readme)