MCP Registry Unauthenticated Server-Side Request Forgery Vulnerability in Namespace Verification

A server-side request forgery (SSRF) vulnerability has been identified in the MCP Registry's HTTP-based namespace verification process, prior to version 1.7.7. The vulnerability arises because the verification dials private/internal IPv6 addresses, including those tunneled from arbitrary IPv4 to cloud metadata services, bypassing a private-address allowlist. This issue is present in the latest 'main' HEAD '23f4fda' and the current production 'v1.7.6' deployment at 'https://registry.modelcontextprotocol.io/v0/auth/http'.

Impact

Exploitation allows unauthenticated attackers to reach any IPv4 address routable from the registry's outbound interface, including cloud metadata services, internal Kubernetes API servers, and other internal admin panels or services, depending on the response to the dialed address.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated POST request to the '/v0/auth/http' endpoint with a domain that resolves to a 6to4 or NAT64 IPv6 address embedding an IPv4 address, such as one corresponding to a cloud metadata service. The request must include a valid RFC3339 timestamp and a hex-encoded string as the 'signedTimestamp', which will be decoded but not verified until after the vulnerable dialing occurs.

Remediation

Users should update to MCP Registry version 1.7.7 or later, where this vulnerability has been fixed.