FastMCP OpenAPI Path Traversal Vulnerability Allowing Authenticated SSRF

A vulnerability in FastMCP's OpenAPIProvider prior to version 3.2.0 allows for path traversal attacks that escape the intended API prefix, leading to unauthorized access of backend endpoints. This issue arises because the RequestDirector's _build_url() method directly substitutes path parameter values into the URL without proper URL-encoding. Exploitation of this vulnerability takes place under the context of authenticated Server-Side Request Forgery (SSRF), as the crafted requests include the authorization headers from the MCP provider.

Impact

Exploitation of this vulnerability allows attackers to bypass API restrictions and access internal endpoints not exposed in the OpenAPI specification. This could lead to unauthorized actions such as accessing sensitive data, interacting with administrative functions, or disrupting backend services. Additionally, because the requests are made with the MCP provider's authorization headers, there is a risk of privilege escalation by accessing restricted resources or performing actions reserved for higher-level users.

Reproduction

To reproduce this vulnerability, first set up a FastAPI server with an endpoint that requires administrative privileges, such as '/admin/delete-all'. Then, create a request using the FastMCP OpenAPI provider that includes a path parameter. The _build_url() method will substitute the parameter value into the URL without encoding it, allowing the use of '../' sequences to traverse directories and access the admin endpoint. This can be done by sending a request with the 'Authorization' header set to a value that grants access to the administrative function.

Remediation

Users can upgrade to FastMCP version 3.2.0 or later, where this vulnerability has been patched. The update ensures that path parameters are properly URL-encoded before being inserted into the URL template, preventing traversal attacks. For those unable to upgrade, a manual workaround involves encoding path parameter values to neutralize traversal sequences before the URL is constructed.