Unauthenticated Server-Side Request Forgery in meta-ads-mcp via image_url
An unauthenticated remote attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in `meta-ads-mcp` v1.0.113, specifically within the `upload_ad_image` function, by providing a malicious `image_url` parameter that causes the server to make arbitrary outbound HTTP requests to internal services, RFC 1918 addresses, or cloud metadata endpoints, leading to information disclosure and potential internal network compromise.
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in meta-ads-mcp version 1.0.113, affecting the upload_ad_image function. This flaw allows an unauthenticated remote attacker to coerce the server into making arbitrary HTTP GET requests to internal or external network targets. The vulnerability stems from the image_url parameter within the upload_ad_image tool, which is passed directly to an httpx.AsyncClient without any scheme, host, or IP address validation. Crucially, the authorization middleware only requires a non-empty Bearer token, meaning the SSRF is triggered before any meaningful Meta API credential validation occurs. This permits attackers to access localhost services, private network ranges (RFC 1918), and cloud instance metadata endpoints (e.g., http://169.254.169.254/), with a CVSS 3.1 Base Score of 8.3 (High). The issue specifically manifests when the server is deployed using the officially supported --transport streamable-http mode.
Attack Chain
- An unauthenticated attacker sends a JSON-RPC
initializerequest to themeta-ads-mcp/mcpendpoint, including a non-emptyAuthorization: Bearertoken. - The attacker sends a subsequent JSON-RPC
tools/callrequest to the same/mcpendpoint, specifyingupload_ad_imageas the tool to execute. - Within the
tools/callrequest'sargumentsfield, the attacker includes a craftedimage_urlparameter pointing to an internal target (e.g.,http://127.0.0.1:9009/poc.jpg,http://169.254.169.254/latest/meta-data/). - The
meta-ads-mcpapplication's authorization middleware verifies only the presence of a non-empty Bearer token in theAuthorizationheader, allowing the request to proceed to the image download logic. - The application passes the attacker-controlled
image_urldirectly to thetry_multiple_download_methodsfunction inmeta_ads_mcp/core/ads.py. - An
httpx.AsyncClientinstance, configured tofollow_redirects=True, initiates an outbound HTTP GET request to the arbitrary URL provided inimage_urlwithout any prior scheme, host, or IP address validation. - The
meta-ads-mcpserver establishes a connection and performs the GET request against the specified internal or cloud resource. - The server then attempts to perform Meta API credential validation, but the Server-Side Request Forgery has already successfully occurred.
Impact
This Server-Side Request Forgery (SSRF) vulnerability allows an attacker to compel the vulnerable meta-ads-mcp server to initiate arbitrary HTTP GET requests. The primary impact is information disclosure, as an attacker can access sensitive data from internal network services, private IP ranges (RFC 1918), or cloud instance metadata endpoints (e.g., http://169.254.169.254/). This could expose highly confidential information such as IAM credentials, instance identity documents, bootstrap secrets, and internal network architecture details. Additionally, an attacker could use this vulnerability for internal network reconnaissance, mapping out accessible services, and potentially triggering state-changing actions on internal systems or causing limited denial of service by overwhelming internal targets. Organizations running meta-ads-mcp with the --transport streamable-http option in environments co-located with sensitive resources are at direct risk of compromise.
Recommendation
- Patch
meta-ads-mcpto a version higher than 1.0.113 immediately, as this vulnerability has been disclosed. - Monitor network traffic for outbound HTTP GET requests from
meta-ads-mcpinstances to unusual internal IP addresses (RFC 1918, localhost) or cloud metadata endpoints like169.254.169.254, which could indicate attempted exploitation. - Implement egress filtering on firewalls to restrict
meta-ads-mcpinstances from initiating connections to private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) and cloud metadata addresses (e.g.,169.254.169.254). - Review application logs for
meta-ads-mcpto identify attempts to callupload_ad_imagewith suspiciousimage_urlparameters referencing internal network addresses or cloud metadata endpoints as shown in the IOCs section.
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | http://169.254.169.254/latest/meta-data/ |
| url | http://attacker.com/redirect |