Skip to content

fix(fetch): block private network URL fetches#4226

Open
kgarg2468 wants to merge 1 commit into
modelcontextprotocol:mainfrom
kgarg2468:kgarg/harden-fetch-ssrf
Open

fix(fetch): block private network URL fetches#4226
kgarg2468 wants to merge 1 commit into
modelcontextprotocol:mainfrom
kgarg2468:kgarg/harden-fetch-ssrf

Conversation

@kgarg2468
Copy link
Copy Markdown
Contributor

@kgarg2468 kgarg2468 commented May 22, 2026

Summary

  • validate fetch URLs use http/https and resolve only to public IP addresses
  • block localhost, private, loopback, link-local, and metadata-service targets
  • follow redirects manually so redirected targets are validated before each request

Fixes #4143.

Tests

  • cd src/fetch && uv run pytest tests/test_server.py -q
  • cd src/fetch && uv run ruff check src/mcp_server_fetch/server.py tests/test_server.py
  • git diff --check

desledishant10 added a commit to desledishant10/mcp-scan that referenced this pull request Jun 2, 2026
@desledishant10
Fix PR opened against mcp-server-fetch disclosure #4143
7104c91 
PR modelcontextprotocol/servers#4226 by @kgarg2468 opened 2026-05-22,
explicitly listing 'Fixes #4143' in the body. Commit summary:

- Validate fetch URLs use http/https
- Resolve only to public IP addresses
- Block localhost, private, loopback, link-local, and metadata-service
  targets
- Follow redirects manually so redirected targets are validated before
  each request

The per-redirect validation step is more rigorous than the original
disclosure asked for — closes a 302-bypass that the basic scheme/host
check would have missed.

16/16 CI checks pass on the PR. Awaiting maintainer approval.

Updated:
- disclosures/2026-05-12-mcp-fetch-http-request-ssrf.md (status field
  + new Updates entry dated 2026-05-22)
- findings/2026-05-11-MCP-D-003-fetch-direct-environment-dependent-ssrf.md
  (outcome line: 'demonstrated' → 'demonstrated + fix PR in review')
- README.md findings table (fix PR link added)
- CHANGELOG.md Unreleased section (disclosure-status entry)

The community half (mcp-server-http-request) still has no maintainer
response. Day +14 ping is due 2026-05-26 (4 days from now).
@desledishant10
Copy link
Copy Markdown

desledishant10 commented Jun 2, 2026

Thanks for picking this up so quickly, @kgarg2468 really appreciate it.
The fix addresses everything the original disclosure asked for (scheme allowlist + reserved-range denylist), and the per-redirect validation is a nice catch I hadn't explicitly called out. Without it, an attacker could host a public URL that 302s to http://169.254.169.254/... and bypass the initial host check. Glad to see it covered here.
Happy to spin up the same EC2 reproduction setup against this branch to confirm the metadata-service request now refuses cleanly, if that would be useful for the review. Let me know.
Tracking the PR alongside the original disclosure record at https://github.com/desledishant10/mcp-scan/blob/main/disclosures/2026-05-12-mcp-fetch-http-request-ssrf.md so the timeline stays public.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: mcp-server-fetch lacks SSRF protection; cloud-hosted agent hosts can leak IAM credentials

2 participants

@kgarg2468 @desledishant10