Product
An unauthenticated remote attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in `meta-ads-mcp` v1.0.113, specifically within the `upload_ad_image` function, by providing a malicious `image_url` parameter that causes the server to make arbitrary outbound HTTP requests to internal services, RFC 1918 addresses, or cloud metadata endpoints, leading to information disclosure and potential internal network compromise.