SkillAudit
Security·Node.js

MCP server memory profiling security: heap snapshots, credential exposure, and Buffer safety

Heap snapshots are a standard debugging tool — but they capture everything in memory, including API keys, auth tokens, and decrypted secrets. Understanding how Node.js manages memory is essential for MCP servers that handle credentials in their tool call lifecycle.

Why memory matters for MCP server security

An MCP server's Node.js heap is a security surface. Consider a typical tool call lifecycle:

  1. Tool handler receives arguments (possibly including user-provided tokens)
  2. Handler reads an API key from environment variable or secrets manager
  3. Handler constructs an outbound HTTP request with an Authorization header
  4. Response body (possibly containing PII) is parsed into a JavaScript object
  5. Handler returns a result string to the MCP client

At step 5, the API key, auth header, and response body are all still reachable in the V8 heap as live objects — and will remain there until the next garbage collection cycle. If a heap snapshot is triggered (by a crash, by a debug endpoint, or by an attacker exploiting a memory exhaustion vulnerability), all of that data is captured.

Pattern 1: Detecting credentials in heap snapshots

Before enabling heap profiling in any environment that handles real credentials, audit what's actually in your heap. Use heapdump in a staging environment with synthetic secrets, then grep the output:

// staging only — never expose this endpoint in production
import heapdump from 'heapdump';
import { createServer } from 'http';

createServer((req, res) => {
  if (req.url === '/debug/heapdump' && process.env.NODE_ENV !== 'production') {
    const filename = `/tmp/heap-${Date.now()}.heapsnapshot`;
    heapdump.writeSnapshot(filename, (err, filename) => {
      res.end(filename);
    });
  }
}).listen(9229, '127.0.0.1');  // bind to localhost only
# After generating a snapshot in staging, search for credential patterns
node -e "
  const snap = JSON.parse(require('fs').readFileSync('/tmp/heap-*.heapsnapshot'));
  const strings = snap.strings;
  const suspicious = strings.filter(s =>
    /sk-[a-zA-Z0-9]{32,}/.test(s) ||   // OpenAI-style keys
    /Bearer [a-zA-Z0-9._-]{20,}/.test(s) ||
    /password.*:.*['\"][^'\"]{8,}/.test(s)
  );
  console.log(suspicious.length, 'suspicious strings found');
  suspicious.slice(0, 5).forEach(s => console.log(s.substring(0, 60)));
"

Pattern 2: Secure Buffer allocation patterns

Node.js Buffer.allocUnsafe() returns memory that may contain data from previous allocations — including data from other requests' secrets. Always use Buffer.alloc() for security-sensitive buffers:

// WRONG — allocUnsafe can contain stale heap data
const buf = Buffer.allocUnsafe(32);
crypto.getRandomValues(buf);  // fills the buffer, but the stale data was briefly readable

// RIGHT — allocates zeroed memory
const secret = Buffer.alloc(32);
crypto.getRandomValues(secret);

// WRONG — string concatenation for auth headers leaves fragments in string heap
const header = 'Bearer ' + apiKey;

// BETTER — use a typed array and avoid string interning
const headerBytes = Buffer.from(`Bearer ${apiKey}`);
// use headerBytes, then explicitly zero it when done
headerBytes.fill(0);

// For sensitive data that must be a string (e.g., JSON stringify)
// prefer short-lived locals and avoid caching in module scope
function makeAuthHeader(key) {
  try {
    return { Authorization: `Bearer ${key}` };
  } finally {
    // key goes out of scope here — eligible for GC at next cycle
    // but note: GC timing is non-deterministic
  }
}

Pattern 3: Module-scope secret storage anti-pattern

The most common memory security mistake in MCP servers: storing secrets as module-scope constants. These live in the heap for the entire process lifetime — in every heap snapshot, every core dump:

// WRONG — module-scope secret lives forever in heap
const API_KEY = process.env.ANTHROPIC_API_KEY;  // string interned in V8
export { API_KEY };

// WRONG — caching secrets in a config object
const config = {
  apiKey: process.env.ANTHROPIC_API_KEY,
  dbPassword: process.env.DB_PASSWORD,
};

// BETTER — read from env at call time, don't cache
function getApiKey() {
  const key = process.env.ANTHROPIC_API_KEY;
  if (!key) throw new Error('ANTHROPIC_API_KEY not set');
  return key;  // local variable, GC-eligible after return
}

// BEST for high-security contexts — use a secrets manager with short-lived leases
async function getApiKey() {
  // Fetches a short-lived credential from Vault/AWS Secrets Manager
  // The string is GC-eligible after the call completes
  return await secretsManager.getSecretValue({ SecretId: 'anthropic-api-key' });
}

Pattern 4: Safe heap profiling in production

If you need heap profiling in production (for memory leak investigation), take these precautions:

// Use sampling heap profiler (lower overhead, less sensitive data captured)
import { Session } from 'inspector';

const session = new Session();
session.connect();

// Start sampling profiler (captures allocation stack traces, not full heap)
await session.post('HeapProfiler.startSampling', { samplingInterval: 32768 });

// ... reproduce the memory issue ...

const { profile } = await session.post('HeapProfiler.stopSampling');
session.disconnect();

// Sampling profile contains stack traces and allocation sizes
// but NOT the actual string/object values — safe to send to monitoring
fs.writeFileSync('/tmp/sampling-profile.heapprofile', JSON.stringify(profile));

The key distinction: HeapProfiler.startSampling captures allocation stacks (where memory was allocated), not heap contents (the actual values). Use the sampling profiler for production diagnostics. Reserve full heap snapshots for isolated staging environments with synthetic data.

Pattern 5: Memory leak detection without secret exposure

Memory leaks in MCP servers can accumulate secrets from thousands of requests over time. Detect leaks early using the --expose-gc flag and periodic size checks:

// Add to your MCP server health check
import v8 from 'v8';

function getHeapStats() {
  const stats = v8.getHeapStatistics();
  return {
    heap_used_mb: Math.round(stats.used_heap_size / 1048576),
    heap_total_mb: Math.round(stats.total_heap_size / 1048576),
    heap_limit_mb: Math.round(stats.heap_size_limit / 1048576),
    external_mb: Math.round(stats.external_memory / 1048576),
  };
}

// Alert if heap grows more than 20% between GC cycles
let lastHeapMb = 0;
setInterval(() => {
  if (global.gc) global.gc();  // only if --expose-gc flag is set
  const { heap_used_mb } = getHeapStats();
  if (lastHeapMb > 0 && heap_used_mb > lastHeapMb * 1.2) {
    logger.warn('Potential memory leak', { heap_used_mb, lastHeapMb, delta_pct: 20 });
  }
  lastHeapMb = heap_used_mb;
}, 60_000);

SkillAudit and memory security

SkillAudit's static analysis flags the highest-risk memory patterns: module-scope secret storage (const API_KEY = process.env.* at module level), Buffer.allocUnsafe() in security-sensitive paths, and debug heap dump endpoints without environment guards. Run an audit to check your MCP server for these patterns.

Related: Secrets management deep-dive · 50-question security checklist · Credential exposure patterns