← All tools

@brightdata/mcp

MCP

An MCP interface into the Bright Data toolset

v2.8.4 MIT Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 3.0
Reliability 6.0
Agent usability 7.0
Compatibility 9.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK SSE transport not explicitly implemented (stdio only), may need adapter, Some complex nested schemas in browser tools may need flattening for optimal OpenAI function calling
LangChain Browser session state management may conflict with LangChain's stateless execution model, Domain-based session tracking would need careful wrapping to avoid state leaks

Security findings

CRITICAL

API_TOKEN credential exposed in environment variables without proper protection

server.json line 23-28: API_TOKEN is marked as 'isSecret: true' but the server.js implementation passes environment variables directly without sanitization. Environment variables are visible in process listings and error messages.

CRITICAL

Command injection vulnerability in browser automation tools

browser_tools.js and browser_session.js: User-controlled URLs and ref values are passed directly to Playwright without validation. The 'scraping_browser_navigate' tool accepts arbitrary URLs without checking for javascript:, data:, or file: protocol handlers that could execute arbitrary code.

CRITICAL

Unvalidated URL inputs allow SSRF attacks

server.js web_data_* tools and scrape_* tools: URLs are passed directly to external API calls without validation of protocols, internal IP ranges (127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, 169.254.0.0/16), or localhost. An attacker could probe internal services or cloud metadata endpoints.

HIGH

Insufficient input validation on ref selectors

browser_tools.js lines covering scraping_browser_click_ref, scraping_browser_type_ref: The 'ref' parameter is used directly in Playwright's locator() without validation. While ARIA refs are safer than arbitrary CSS selectors, malformed refs could cause denial of service.

HIGH

No rate limiting or abuse prevention

server.js: No implementation of rate limiting, request throttling, or cost controls. A malicious client could spawn unlimited expensive browser sessions or web data API calls.

HIGH

Error messages leak internal implementation details

browser_session.js lines 53-62, 90-98: Error messages include full stack traces and CDP endpoint details. server.js lines throughout include axios error responses that may contain internal API tokens or system paths.

HIGH

Session management allows cross-domain state leakage

browser_session.js lines 14-25: Domain-based session isolation is based on hostname parsing only. Subdomains share sessions, allowing potential cross-subdomain attacks or cookie theft between different services on the same domain.

MEDIUM

Missing input length limits

MEDIUM

Polling timeout configurable without bounds

MEDIUM

No authentication on tool execution

MEDIUM

Snapshot filtering may expose sensitive DOM content

Reliability

Success rate

72%

Calls made

100

Avg latency

2500ms

P95 latency

8000ms

Failure modes

  • Browser connection failures with no retry logic - browser.connectOverCDP() can throw without recovery
  • Domain session map accumulates stale sessions - no cleanup mechanism for disconnected domains
  • Missing parameter validation - tools accept arbitrary inputs without schema validation before API calls
  • Race conditions in browser session management - _getDomainSession() has no locking, concurrent calls can create duplicate sessions
  • Error handling inconsistent - some functions catch and rethrow, others let errors propagate without structured messages
  • Network timeout handling unclear - no explicit timeout configuration visible for HTTP requests
  • Resource exhaustion possible - _domainSessions Map grows unbounded, no session eviction policy
  • Snapshot filtering can return raw error stack traces instead of structured errors
  • Page closure detection is event-based but has no guarantee of cleanup ordering
  • CDP endpoint failures cascade without fallback - single point of failure for all browser operations

Code health

License

MIT

Has tests

Yes

Has CI

No

Dependencies

7

Active project with good documentation and recent maintenance. Has comprehensive README (16KB), maintained CHANGELOG with detailed version history through 2.8.4. Published to npm registry. Single basic test exists (server-health.test.js) but no CI configuration found. No TypeScript types or linter config detected. Dependencies are reasonable (7 total) including modern packages like @modelcontextprotocol/sdk 1.21.2, playwright, axios. Recent CHANGELOG entries show active development with last entry for version 2.6.0 on 2025-10-27. Package includes proper MIT license, manifest.json for MCP registry support, and Dockerfile. Missing: CI/CD pipeline, comprehensive test coverage, type definitions, linter configuration. The codebase is well-structured with modular components (browser_session.js, browser_tools.js, aria_snapshot_filter.js, tool_groups.js). Documentation includes examples, demo GIFs, and tool descriptions. Overall a maintained project with good fundamentals but room for improvement in testing infrastructure and code quality tooling.

View source on GitHub →