samanhappy MCPHub Server-Side Request Forgery Vulnerability in MCPRouter Service

A server-side request forgery (SSRF) vulnerability has been identified in samanhappy MCPHub versions through 0.9.10. The issue arises in the MCPRouter Service, specifically within the serverController.ts file. The vulnerability allows an administrator to inject a malicious URL into the application's configuration without any validation. This injected URL is then used to make HTTP requests to arbitrary internal or external locations, potentially leading to unauthorized access or manipulation of data.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the application to make requests to unintended destinations. This could be used to access internal services, scan networks, or interact with cloud metadata endpoints, depending on the nature of the injected URL.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a PUT request to the /api/system-config endpoint. The request must include a JSON body that specifies a malicious URL in the mcpRouter.baseUrl field. Once the URL is injected and the configuration is saved, the administrator can trigger the vulnerability by calling an API endpoint that uses the MCPRouter configuration, such as /api/cloud/servers. This will initiate a request to the injected URL, exploiting the server-side request forgery vulnerability.