FastGPT Stored SSRF Vulnerability in MCP Tool URL Handling

A stored Server-Side Request Forgery (SSRF) vulnerability has been identified in FastGPT, an AI agent building platform, prior to version 4.14.17. The issue arises from inconsistent protection against internal URL access in the MCP tool management process. While the MCP preview and run endpoints correctly block internal network URLs, the create and update endpoints allow the saving of such URLs. An authenticated user with the right permissions could exploit this by storing an internal URL, which would later be accessed during workflow execution, bypassing the intended network restrictions.

Impact

Exploitation of this vulnerability allows authenticated users with MCP toolset management permissions to cause the FastGPT backend to connect to internal network resources, potentially accessing sensitive data or services. The vulnerability does not require unauthenticated access and could lead to unauthorized interactions with internal systems, depending on the network environment and available services.

Reproduction

To reproduce this vulnerability, first, authenticate as a user with permission to manage MCP toolsets. Then, create or update an MCP toolset by entering an internal URL, such as one pointing to a localhost service. Once the URL is saved, initiate a workflow that uses the MCP tool. The backend will execute the workflow and connect to the internal URL without applying the necessary validation, demonstrating the SSRF vulnerability.

Remediation

Users can update to FastGPT version 4.14.17 or later, where this vulnerability has been patched. The update includes added validation to ensure MCP tool URLs are not internal before they are saved, and rechecks stored URLs prior to workflow execution.