fetch-mcp Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in fetch-mcp versions through 1.0.2. This vulnerability allows attackers to bypass private IP validation and access internal network resources. The issue arises in the Fetcher class, where the validation function is_ip_private() receives the full URL instead of just the hostname or IP address. As a result, the validation always fails, disabling the security check and allowing access to internal services, cloud metadata endpoints, and sensitive internal APIs.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network resources, bypassing firewall rules and access restrictions. It could also allow enumeration of internal administrative interfaces, extraction of sensitive data from internal APIs and admin panels, access to cloud metadata endpoints (such as AWS, GCP, or Azure), and execution of commands on internal services like Redis, Memcached, or ElasticSearch.

Reproduction

To reproduce this vulnerability, set up an application using the Fetcher class. Attempt to fetch a private IP address by sending a request to a URL that includes a private IP, such as 'http://127.0.0.1/api/secrets'. The request will be allowed and executed, bypassing the intended validation.

Remediation

Users are advised to update the Fetcher class to ensure the is_ip_private() function receives only the hostname or IP address, not the full URL. Additionally, the vulnerable is_ip_private package should be uninstalled.