Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
An attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in `@apify/actors-mcp-server` version `0.10.7` by crafting a malicious Actor definition to inject an arbitrary authority into a URL, causing the MCP client to exfiltrate the victim's Apify API token to the attacker's server, granting full access to their Apify account.
A critical Server-Side Request Forgery (SSRF) vulnerability, tracked as GHSA-6gr2-qh89-hxwm, exists in @apify/actors-mcp-server version 0.10.7 and earlier. This flaw allows an attacker to exfiltrate Apify API tokens from users who interact with a specially crafted malicious Actor. The vulnerability stems from improper validation of the webServerMcpPath value, which is sourced from an attacker-controlled Actor definition. By injecting an authority (e.g., @attacker.example/mcp) into this path, an attacker can redirect the MCP client's outbound connection to an arbitrary host. Crucially, the MCP client unconditionally attaches the victim's Authorization: Bearer <APIFY_TOKEN> header to these outbound connections, leading to the silent exfiltration of the API token. This grants the attacker full access to the victim's Apify account, enabling actions such as running and managing Actors, accessing stored data, and incurring compute charges, without requiring special privileges or code execution on the victim's machine.
Attack Chain
- An attacker publishes a malicious Actor on the Apify platform, crafting its definition to include a
webServerMcpPathvalue designed for URL authority injection (e.g.,@attacker.example/mcp). - A victim, running
@apify/actors-mcp-server(version0.10.7or earlier) and configured with an Apify API token, initiates an MCP tool call (e.g.,call-actororfetch-actor-details) targeting the attacker-controlled Actor. - The
apifyTokenis resolved from environment variables, server options, or the MCP request's_meta.apifyToken. - The application fetches the attacker's Actor definition from the Apify API, retrieving the malicious
webServerMcpPath. - The
getActorMCPServerURL()function receives thewebServerMcpPath, trims and splits it, but crucially performs no validation against authority injection. - The function then concatenates a trusted
standbyUrlwith the maliciousmcpServerPath, creating an authority-injected URL (e.g.,https://real-actor-id.apify.actor@attacker.example/mcp). - The
connectMCPClient()function is invoked with this crafted URL and the victim's Apify API token. - The
connectMCPClient()then establishes an outbound HTTP connection to the attacker's server (attacker.example), sending the victim'sAuthorization: Bearer <APIFY_TOKEN>header, thereby exfiltrating the token.
Impact
Any user of @apify/actors-mcp-server versions prior to 0.10.8 who has an Apify API token configured and is induced to invoke an MCP tool against an attacker-controlled Actor will have their Apify API token silently exfiltrated. The exfiltrated token grants the attacker full administrative access to the victim's Apify account, allowing them to run, manage, and modify Actors, access sensitive data stored within the account, and potentially incur significant compute charges. The attack requires no special privileges on the victim's side and no code execution on their machine, only the interaction with a malicious Actor on the Apify platform, posing a significant risk to the integrity and confidentiality of user accounts.
Recommendation
- Immediately update
@apify/actors-mcp-serverto version0.10.8or newer to remediate the URL authority injection vulnerability (GHSA-6gr2-qh89-hxwm). - Implement strict outbound network egress filtering to prevent unauthorized connections to unknown or untrusted domains, specifically monitoring for connections from
@apify/actors-mcp-serverprocesses that containAuthorization: Bearerheaders directed to domains other than*.apify.comor other explicitly allowed Apify infrastructure. - Consider using dedicated network monitoring tools to detect connections to suspicious IP addresses or domains (e.g.,
attacker.exampleor127.0.0.1as seen in PoC) from your Apify infrastructure.
Indicators of compromise
1
domain
1
url
| Type | Value |
|---|---|
| domain | attacker.example |
| url | https://real-actor-id.apify.actor@attacker.example/mcp |