CKAN MCP Server Arbitrary URL SSRF Vulnerability Allowing Internal Network Access and Metadata Theft

A server-side request forgery (SSRF) vulnerability has been identified in CKAN MCP Server versions prior to 0.4.85. The vulnerability arises because tools like 'ckan_package_search' and 'sparql_query' accept a 'base_url' parameter that can be used to make unrestricted HTTP requests to arbitrary endpoints. This lack of validation allows for potential access to internal network services or cloud metadata, including sensitive IAM credentials from the Instance Metadata Service (IMDS) at 169.254.169.254. The vulnerability also exposes injection surfaces that could be exploited via unsanitized query parameters, leading to SQL or SPARQL injection. Exploitation requires prompt injection of malicious content to control the 'base_url' parameter.

Impact

Exploitation of this vulnerability could result in unauthorized internal network scanning, theft of cloud metadata (including IAM credentials via the IMDS), and potential SQL or SPARQL injection attacks through unsanitized query parameters.

Reproduction

The vulnerability can be reproduced by using the 'ckan_package_search' tool with a crafted 'base_url' parameter that points to an internal service or a cloud metadata endpoint. This can be done by injecting the URL through a CKAN portal client while the MCP server is connected to the assistant.

Remediation

Users are advised to update CKAN MCP Server to version 0.4.85 or later. Additionally, implement URL validation for the 'base_url' parameter, block private IP ranges and cloud metadata endpoints, and sanitize SQL input for datastore queries.