FastGPT Server-Side Request Forgery Vulnerability in MCP Tools Endpoints

A server-side request forgery (SSRF) vulnerability has been identified in FastGPT versions prior to 4.14.9.5. The issue resides in the Model Context Protocol (MCP) tools endpoints, which accept user-supplied URL parameters and make server-side HTTP requests without validating whether the URLs point to internal or private network addresses. This oversight allows authenticated attackers to scan internal networks, access cloud metadata services, and interact with internal databases such as MongoDB and Redis.

Impact

Exploitation of this vulnerability allows for internal network reconnaissance, access to cloud metadata services on platforms like AWS, GCP, or Azure, and interaction with internal services such as MongoDB and Redis, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, authenticate a user session in FastGPT and obtain a session token. Then, send a POST request to either the '/api/core/app/mcpTools/getTools' or '/api/core/app/mcpTools/runTool' endpoint, including the session token in the cookie header and a user-supplied URL pointing to an internal service in the request body. The server-side request will be made to the specified URL, bypassing internal address validation and allowing access to the targeted service.

Remediation

Users can update to FastGPT version 4.14.9.5 or later, where this vulnerability has been patched. For additional security, implement URL allowlisting for MCP server URLs at the application configuration level and use network-level controls to restrict outbound traffic from the FastGPT container.