dmitryglhf mcp-url-downloader Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in dmitryglhf mcp-url-downloader versions prior to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. The vulnerability arises in the _validate_url_safe function within src/mcp_url_downloader/server.py. The application's initial URL validation only blocks certain addresses, such as localhost and private IP ranges. However, it fails to re-validate URLs after redirects are followed, allowing attackers to exploit this oversight. By chaining redirects through a controlled public URL, the downloader can be made to access internal resources, such as cloud metadata services or local applications, and save the retrieved data to disk.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal HTTP resources, potentially leading to the exfiltration of sensitive data from cloud metadata services or other private endpoints. Additionally, if the accessed services permit write operations over HTTP, the vulnerability could be used to manipulate data. There is also a risk of disrupting service availability by repeatedly fetching large responses from internal endpoints, within configured limits.

Reproduction

To reproduce this vulnerability, first, upload a public URL that redirects to an internal resource, such as a cloud metadata service or a local application. Then, invoke the 'download_single_file' or 'download_files' method of the MCP tools, providing the redirecting URL as an argument. The downloader will follow the redirect to the internal resource and save the response to the specified output directory.

Remediation

As of now, there is no official patch available for this vulnerability. However, it is recommended to manually validate redirect targets and block access to internal resources until a fix is implemented.