Model Context Protocol mcp-security Unvalidated URL Fetching Vulnerability Allowing Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in the mcp-security framework, which supports Security and Authorization for Model Context Protocol in Spring AI. This issue affects versions prior to 0.1.9 and arises from the framework's failure to implement required SSRF mitigations. The vulnerability allows untrusted URLs to be processed for OAuth-related discovery and metadata without proper verification, potentially exposing installations with Dynamic Client Registration (DCR) enabled to risks. DCR does not validate URLs provided by MCP Servers and Authorization Servers, leaving room for exploitation.

Impact

The vulnerability allows for server-side request forgery, where an attacker could manipulate the application into making requests to internal services or external resources, potentially leading to unauthorized data access or interaction with internal systems.

Remediation

Users can upgrade to version 0.1.9 or later to address this vulnerability. If DCR is necessary, users may provide their own McpOAuth2ClientManager. Additionally, both McpMetadataDiscoveryService and DynamicClientRegistrationService can be customized with subclasses or default implementations that include a RestClient with URL filtering capabilities.