GHSA-52cq-7v8r-62c6: gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense
Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense
The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no preexisiting CVEs for this package yet and the repository had no prior security issues.
The primary issue is that the HTTP transport in server.py skips authentication entirely when MCP_API_KEY is not set — which is the default, since .env.example ships the key as a blank value. Any unauthenticated caller who knows the server’s public URL can invoke all six tools and generate live, billed Google Maps API requests against the operator’s key. Because the README explicitly instructs operators to expose the server via ngrok (ngrok http 8000, then point MCP clients at the ngrok URL), this configuration gets deployed internet-facing as a matter of normal usage.
Affected files and exact lines:
src/google_maps_mcp/server.py, lines 186–192:
expected_key = os.getenv("MCP_API_KEY")
if not expected_key:
# If no MCP_API_KEY is set, allow all requests (development mode)
return await call_next(request)
if api_key != expected_key:
return JSONResponse(
{"error": "Invalid or missing API key. Provide X-API-Key header."},
status_code=401
)
run.py lines 37 and 38 bind to 0.0.0.0:8000 by default (MCP_HOST=0.0.0.0, MCP_PORT=8000). No rate-limiting middleware exists anywhere in the codebase — not in the middleware stack, not in GoogleMapsClient, not in the tool handlers.
Attack model: operator deploys with default config (blank MCP_API_KEY), exposes via ngrok per the README instructions, attacker discovers the ngrok URL through ngrok’s public endpoint scan surface or via a targeted test of shared URLs. No credentials needed to call the server.
PoC — reproduces from the default config:
# Start with default .env.example (MCP_API_KEY blank/unset)
export GOOGLE_MAPS_API_KEY=<operator_key>
python run.py # binds 0.0.0.0:8000
References
- github.com/advisories/GHSA-52cq-7v8r-62c6
- github.com/arthurkatcher/google-maps-mcp
- github.com/arthurkatcher/google-maps-mcp/commit/00d872507c78e8116bbf9de7be7cd112945c0fd8
- github.com/arthurkatcher/google-maps-mcp/commit/3ae32643da469f962e67e8ef9726cd4d9bf4587d
- github.com/arthurkatcher/google-maps-mcp/security/advisories/GHSA-52cq-7v8r-62c6
Code Behaviors & Features
Detect and mitigate GHSA-52cq-7v8r-62c6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →