We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of the Pipedrive MCP Server seriously. If you discover a security vulnerability, please follow these steps:
Please do not open a public GitHub issue for security vulnerabilities. Public disclosure can put the entire community at risk.
Send a detailed report to:
Email: [Your security contact email - update this]
Or use GitHub's private security advisory feature:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
To help us assess and fix the vulnerability quickly, please include:
- Description: Clear explanation of the vulnerability
- Impact: What could an attacker achieve?
- Steps to reproduce: Detailed reproduction steps
- Affected versions: Which versions are affected?
- Suggested fix: If you have ideas for fixing it
- Your environment: Node version, OS, etc.
Subject: [SECURITY] API Token Exposure in Logs
Description:
The server logs API tokens in plain text when debug logging is enabled,
potentially exposing credentials in log files.
Impact:
An attacker with access to log files could steal API tokens and gain
unauthorized access to Pipedrive accounts.
Steps to Reproduce:
1. Enable LOG_LEVEL=debug
2. Start the server
3. Trigger any API call
4. Check logs - API token is visible in request headers
Affected Versions:
All versions up to 1.2.3
Suggested Fix:
Redact API tokens in logger.ts before writing to logs.
Environment:
- Node.js: 18.17.0
- OS: macOS 14.0
- Package version: 1.2.3
We will respond to security reports according to the following timeline:
- 24 hours: Acknowledge receipt of your report
- 72 hours: Provide initial assessment and severity rating
- 7 days: Provide a fix timeline or mitigation steps
- 30 days: Release a patch (for critical vulnerabilities, much sooner)
Never commit API tokens to version control:
# WRONG - Don't do this
git commit -m "add config" claude_desktop_config.json
# RIGHT - Use environment variables
# Add to .gitignore:
echo "claude_desktop_config.json" >> .gitignoreUse environment variables or secure secret management:
- Store tokens in environment variables
- Use a password manager for token storage
- Rotate tokens regularly (every 90 days recommended)
- Use separate tokens for development and production
Grant Pipedrive API tokens only the minimum permissions needed:
- In Pipedrive, go to Settings > Personal Preferences > API
- Create separate tokens for different use cases
- Regularly audit token usage
- Revoke unused tokens immediately
For exploratory use or when you don't need write access:
{
"env": {
"PIPEDRIVE_API_TOKEN": "your_token",
"PIPEDRIVE_READ_ONLY": "true"
}
}- Check Pipedrive audit logs regularly
- Monitor for unexpected API usage
- Set up alerts for unusual patterns
- Review connected applications periodically
# Check for updates regularly
npm outdated -g @nubiia/mcp-pipedrive
# Update to latest version
npm update -g @nubiia/mcp-pipedrive- Use encrypted file systems
- Enable file system access controls
- Don't share development machines
- Use secure network connections
- Never log sensitive data (tokens, passwords, PII)
- Validate all inputs with Zod schemas
- Sanitize user inputs before API calls
- Use parameterized queries/requests
- Avoid eval() and similar dynamic code execution
# Audit dependencies regularly
npm audit
# Fix vulnerabilities automatically
npm audit fix
# Check for outdated packages
npm outdated// WRONG - Hardcoded secrets
const token = 'abc123';
// RIGHT - Use environment variables or mocks
const token = process.env.PIPEDRIVE_API_TOKEN || 'mock_token_for_tests';- Only use HTTPS for API calls
- Verify SSL certificates
- Don't disable certificate validation
- Use TLS 1.2 or higher
The MCP server receives the API token through environment variables configured in Claude Desktop. The token is:
- Stored in memory only (never persisted to disk by this server)
- Not logged (even in debug mode)
- Not transmitted except to Pipedrive API over HTTPS
- Cleared when the process terminates
User Responsibility: The token is stored in Claude Desktop's config file. Users should:
- Protect this file with appropriate file permissions (chmod 600)
- Encrypt their file system
- Not share their config file
The server implements rate limiting to prevent abuse:
- 10 requests/second default
- Burst capacity of 100 requests
- Automatic retry with backoff
This protects against accidental DDoS of your Pipedrive account.
All tool inputs are validated with Zod schemas:
- Type checking
- Range validation
- Format verification
- Required field enforcement
This prevents injection attacks and malformed requests.
Errors are sanitized before being returned to prevent information leakage:
- API tokens are never included in errors
- Internal paths are not exposed
- Stack traces are limited in production
- PII is redacted
We use automated tools to detect dependency vulnerabilities:
- GitHub Dependabot alerts
- npm audit in CI/CD
- Regular dependency updates
All API communication uses HTTPS:
// Enforced in PipedriveClient
const API_BASE = 'https://api.pipedrive.com/v1';All inputs are validated before being sent to Pipedrive:
const validated = CreateDealSchema.parse(args);
// Zod throws on invalid input, preventing injectionPrevents abuse and protects your API quota:
const limiter = new RateLimiter({
minTime: 100, // 10 req/s
maxConcurrent: 5,
reservoir: 100,
});Sensitive information is never exposed in errors:
// API tokens and internal details are redacted
return handleToolError(error);Prevent accidental modifications:
if (READ_ONLY && isWriteOperation(toolName)) {
throw new Error('Write operations disabled in read-only mode');
}When we fix a security vulnerability:
- Patch Released: Fix is deployed in a new version
- Security Advisory: Published on GitHub Security Advisories
- Notification: Users notified through GitHub releases
- Credit: Reporter credited (if desired) in advisory
We recognize security researchers who responsibly disclose vulnerabilities:
No vulnerabilities have been reported yet.
For security-related questions that are not vulnerabilities:
- Open a GitHub Discussion
- Tag with
securitylabel - Contact maintainers
Thank you for helping keep Pipedrive MCP Server secure!