CVE-2025-66336 - Apache Doris MCP Server metadata SQL injection

CVE-2025-66336 affects Apache Doris MCP Server metadata-query handling. A user-controlled database name is interpolated directly into a SQL query and the query runs without the caller’s authorization context, which can let an authenticated attacker, or an anonymous attacker when authentication is disabled, bypass intended metadata scope and read information outside the allowed database boundary.

Exposure exists when the repository runs or deploys Apache Doris MCP Server, especially if the service is reachable by lower-trust users or anonymous access is enabled.

When to use it

Use this recipe when a repository deploys, wraps, or configures Apache Doris MCP Server and needs to verify metadata-query authorization boundaries. It is suited to source-code remediation, MCP server hardening, SQL injection review, and compliance evidence for least-privilege access to database metadata.

Inputs

  • Apache Doris MCP Server version, deployment manifest, service config, authentication mode, database allowlists, and exposed MCP tools.
  • Source paths for metadata query construction, database-name parsing, authorization checks, and SQL execution.
  • Test fixtures that represent authorized, unauthorized, and anonymous callers without using production databases or customer metadata.
  • Logs, scans, or audit requirements that show who can reach the MCP service and which database metadata it may expose.

Affected versions

Package Vulnerable versions Fixed versions
Apache Doris MCP Server 0.1.0 to < 0.6.1 0.6.1+

Indicator-of-exposure

  • The repository resolves Apache Doris MCP Server before 0.6.1.
  • Metadata endpoints or query tools accept a caller-supplied database name.
  • Authentication is disabled, weakly scoped, or shared across tenants.
  • The MCP Server is exposed to CI agents, automation, or users who should not enumerate all backend metadata.

Quick checks:

rg -n "doris|mcp|database name|metadata|information_schema|SELECT .*\\$\\{|format\\(|f\\\"|query" .

Windows:

rg -n "doris|mcp|database name|metadata|information_schema|SELECT .*\\$\\{|format\\(|f\\\"|query" .

Do not verify exposure by sending crafted SQL injection payloads to a live server.

Remediation strategy

  • Upgrade Apache Doris MCP Server to 0.6.1+.
  • Ensure metadata queries use parameterized statements or strict identifier allow-listing instead of string interpolation.
  • Pass and enforce the caller’s authorization context on every metadata path.
  • Disable anonymous access unless it is explicitly required and separately reviewed.
  • Restrict network reachability of the MCP Server while patching.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2025-66336 / GHSA-pqrj-4gwg-h5f7, a high-severity Apache
Doris MCP Server SQL injection in a metadata query path that can bypass the
intended authorization scope. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the MCP Server, removes
  unsafe query construction, restores authorization scoping, adds safe tests,
  and documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected Doris MCP Server
  code path or runtime.

## Rules

- Scope only CVE-2025-66336 and directly related metadata query,
  authorization-context, and exposure-hardening paths.
- Treat database metadata, schema names, credentials, connection strings, and
  audit logs as sensitive.
- Do not send live SQL injection payloads to production or shared systems.
- Do not auto-merge.

## Steps

1. Inventory every controlled Apache Doris MCP Server dependency, image,
   service, query handler, and metadata endpoint.
2. Resolve versions. Any version earlier than `0.6.1` is vulnerable.
3. Identify where database names or similar identifiers enter metadata queries.
4. Verify whether authorization context is propagated and enforced on metadata
   reads.
5. If the repository does not own the vulnerable path, stop with `TRIAGE.md`
   naming the runtime owner and required fixed version.
6. Upgrade to `0.6.1+`.
7. Replace string interpolation for metadata queries with parameterization where
   supported, or strict server-side identifier validation/allow-listing where
   SQL identifiers cannot be bound as parameters.
8. Ensure the caller's authorization context is passed and checked on the
   metadata path.
9. Disable or tightly restrict anonymous access if it is enabled in controlled
   deployments.
10. Add safe regression checks that prove:
    - fixed version resolution;
    - unauthorized callers cannot enumerate out-of-scope metadata;
    - database-name inputs are rejected or normalized before query execution.
11. Add a PR body section named `CVE-2025-66336 operator actions` covering:
    - versions before and after;
    - whether anonymous access was enabled;
    - what metadata surfaces were hardened;
    - what logs operators should review for unusual metadata access.
12. Run relevant validation: dependency install, tests, linting, config render,
    and security scans without exploit payloads.
13. Use PR title:
    `fix(sec): remediate Doris MCP metadata SQL injection`.

## Stop conditions

- No controlled Doris MCP Server runtime or source path exists.
- The vulnerable metadata query lives in an upstream service not patched here.
- Safe verification is impossible without exercising live exploit payloads.

Output contract

  • A reviewer-ready PR or change request that upgrades or patches Doris MCP Server, parameterizes metadata queries, enforces caller authorization, adds regression tests, and documents deployment cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, auth mode, exposure boundary, required fix, and any compensating control.
  • The output must include validation commands and must not query production metadata, dump database names, or include customer data.

Verification - what the reviewer looks for

  • No controlled Doris MCP Server resolves a version earlier than 0.6.1.
  • Metadata queries no longer interpolate caller-controlled database names.
  • Authorization context is enforced on metadata paths.
  • Anonymous access is disabled or explicitly justified and constrained.

Watch for

  • Upgrading the package while custom wrappers still build unsafe metadata SQL.
  • Rejecting one input shape but leaving alternative metadata endpoints exposed.
  • Treating SQL identifier escaping as interchangeable with authorization checks.

References