FastGPT Unauthenticated Server-Side Request Forgery Vulnerability in MCP Tools Endpoint
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in FastGPT versions through 4.14.10.2. The issue arises in the '/api/core/app/mcpTools/runTool' endpoint, which accepts arbitrary URLs without authentication. The internal IP validation only blocks private IPs when the 'CHECK_INTERNAL_IP' environment variable is set to 'true', a condition that is not enabled by default. This oversight allows unauthenticated attackers to access internal network resources.
Impact
Exploitation of this vulnerability allows for unauthorized access to internal network resources, potentially leading to further attacks or data exposure.
Reproduction
To reproduce this vulnerability, send a POST request to the '/api/core/app/mcpTools/runTool' endpoint without authentication. Include a URL parameter that points to an internal IP address. If the 'CHECK_INTERNAL_IP' variable is not set to 'true', the request will be processed, allowing access to the specified internal resource.
Remediation
Users can update to FastGPT version 4.14.10.3 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.