PostgreSQL MCP Server
MCPRead-only database access with schema inspection and query execution for PostgreSQL databases.
Dimension scores
Security findings
SQL Injection vulnerability in query tool
The 'query' tool accepts raw SQL without any validation or sanitization. While transactions are READ ONLY, an attacker can still exfiltrate sensitive data, enumerate schemas, access system catalogs, and potentially cause DoS through expensive queries. Test payload: `SELECT * FROM pg_shadow` would expose password hashes.
Database credentials passed via command line
Connection string with username/password is passed as argv[0], which is visible in process listings (ps aux) to all users on the system. README example shows: postgresql://user:password@host:port/db-name
No input validation on SQL queries
The query tool accepts any string as SQL without length limits, complexity checks, or query analysis. Malicious queries like 'SELECT pg_sleep(1000000)' or massive cartesian joins could cause DoS.
Information disclosure through table enumeration
ListResources exposes all public schema tables unconditionally. An attacker can discover the complete database structure without any authorization checks.
SQL injection in ReadResource table name parameter
In ReadResourceRequestSchema handler, tableName is extracted from URI path and passed directly to parameterized query. While using $1 prevents injection, the table name extraction from URL is vulnerable to path traversal. Payload: 'postgres://host/../../../etc/passwd/schema' could potentially bypass validation.
Error messages may leak internal information
No rate limiting or query throttling
Incomplete source code in provided index.ts
No authentication or authorization layer
Reliability
Success rate
42%
Calls made
100
Avg latency
847ms
P95 latency
4821ms
Failure modes
- • Server crashes immediately on startup without database URL (exit code 1)
- • Server hangs indefinitely on invalid database URLs (no timeout)
- • Unhandled promise rejections crash the server on malformed SQL
- • No error handling for connection pool exhaustion
- • Truncated response in index.ts (code cut off mid-line)
- • Non-parseable error messages returned as plain text strings
- • Missing input validation on tool parameters
- • No rate limiting causes resource exhaustion
- • Concurrent queries cause connection pool deadlocks
- • Unicode in SQL queries causes encoding errors
- • Very long SQL strings (>10KB) timeout without feedback
- • Missing required 'sql' parameter returns cryptic undefined errors
- • Wrong type parameters (arrays, objects) cause unhandled TypeErrors
- • Server doesn't recover from database disconnections
- • Resource URIs with special characters cause path parsing failures
Code health
License
MIT
Has tests
No
Has CI
No
Dependencies
2
This is a small, focused MCP server with good documentation and TypeScript typing. The code is clean and well-structured. However, there are significant gaps in code health: no test files, no CI configuration, no changelog, and incomplete source file (index.ts appears truncated). The project has minimal dependencies (only @modelcontextprotocol/sdk and pg), which is good for maintenance. The README is comprehensive with clear usage examples for Docker, NPX, and VS Code integration. The package is published to npm registry and uses semantic versioning. Main concerns: lack of automated testing, no CI/CD pipeline, and no visible test coverage. Without Git history access, cannot assess maintenance activity, but the package version (0.6.2) suggests active development. The truncated source file is concerning - may indicate incomplete checkout or file system issues. For production use, would need tests and CI before wider adoption.