<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Meta-Ads-Mcp 1.0.113 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/meta-ads-mcp-1.0.113/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 18:48:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/meta-ads-mcp-1.0.113/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated Server-Side Request Forgery in meta-ads-mcp via image_url</title><link>https://feed.craftedsignal.io/briefs/2026-07-ssrf-meta-ads-mcp/</link><pubDate>Fri, 17 Jul 2026 18:48:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ssrf-meta-ads-mcp/</guid><description>An unauthenticated remote attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in `meta-ads-mcp` v1.0.113, specifically within the `upload_ad_image` function, by providing a malicious `image_url` parameter that causes the server to make arbitrary outbound HTTP requests to internal services, RFC 1918 addresses, or cloud metadata endpoints, leading to information disclosure and potential internal network compromise.</description><content:encoded><![CDATA[<p>A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in <code>meta-ads-mcp</code> version 1.0.113, affecting the <code>upload_ad_image</code> function. This flaw allows an unauthenticated remote attacker to coerce the server into making arbitrary HTTP GET requests to internal or external network targets. The vulnerability stems from the <code>image_url</code> parameter within the <code>upload_ad_image</code> tool, which is passed directly to an <code>httpx.AsyncClient</code> without any scheme, host, or IP address validation. Crucially, the authorization middleware only requires a non-empty Bearer token, meaning the SSRF is triggered before any meaningful Meta API credential validation occurs. This permits attackers to access localhost services, private network ranges (RFC 1918), and cloud instance metadata endpoints (e.g., <code>http://169.254.169.254/</code>), with a CVSS 3.1 Base Score of 8.3 (High). The issue specifically manifests when the server is deployed using the officially supported <code>--transport streamable-http</code> mode.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends a JSON-RPC <code>initialize</code> request to the <code>meta-ads-mcp</code> <code>/mcp</code> endpoint, including a non-empty <code>Authorization: Bearer</code> token.</li>
<li>The attacker sends a subsequent JSON-RPC <code>tools/call</code> request to the same <code>/mcp</code> endpoint, specifying <code>upload_ad_image</code> as the tool to execute.</li>
<li>Within the <code>tools/call</code> request's <code>arguments</code> field, the attacker includes a crafted <code>image_url</code> parameter pointing to an internal target (e.g., <code>http://127.0.0.1:9009/poc.jpg</code>, <code>http://169.254.169.254/latest/meta-data/</code>).</li>
<li>The <code>meta-ads-mcp</code> application's authorization middleware verifies only the presence of a non-empty Bearer token in the <code>Authorization</code> header, allowing the request to proceed to the image download logic.</li>
<li>The application passes the attacker-controlled <code>image_url</code> directly to the <code>try_multiple_download_methods</code> function in <code>meta_ads_mcp/core/ads.py</code>.</li>
<li>An <code>httpx.AsyncClient</code> instance, configured to <code>follow_redirects=True</code>, initiates an outbound HTTP GET request to the arbitrary URL provided in <code>image_url</code> without any prior scheme, host, or IP address validation.</li>
<li>The <code>meta-ads-mcp</code> server establishes a connection and performs the GET request against the specified internal or cloud resource.</li>
<li>The server then attempts to perform Meta API credential validation, but the Server-Side Request Forgery has already successfully occurred.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This Server-Side Request Forgery (SSRF) vulnerability allows an attacker to compel the vulnerable <code>meta-ads-mcp</code> server to initiate arbitrary HTTP GET requests. The primary impact is information disclosure, as an attacker can access sensitive data from internal network services, private IP ranges (RFC 1918), or cloud instance metadata endpoints (e.g., <code>http://169.254.169.254/</code>). This could expose highly confidential information such as IAM credentials, instance identity documents, bootstrap secrets, and internal network architecture details. Additionally, an attacker could use this vulnerability for internal network reconnaissance, mapping out accessible services, and potentially triggering state-changing actions on internal systems or causing limited denial of service by overwhelming internal targets. Organizations running <code>meta-ads-mcp</code> with the <code>--transport streamable-http</code> option in environments co-located with sensitive resources are at direct risk of compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch <code>meta-ads-mcp</code> to a version higher than 1.0.113 immediately, as this vulnerability has been disclosed.</li>
<li>Monitor network traffic for outbound HTTP GET requests from <code>meta-ads-mcp</code> instances to unusual internal IP addresses (RFC 1918, localhost) or cloud metadata endpoints like <code>169.254.169.254</code>, which could indicate attempted exploitation.</li>
<li>Implement egress filtering on firewalls to restrict <code>meta-ads-mcp</code> instances from initiating connections to private IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) and cloud metadata addresses (e.g., <code>169.254.169.254</code>).</li>
<li>Review application logs for <code>meta-ads-mcp</code> to identify attempts to call <code>upload_ad_image</code> with suspicious <code>image_url</code> parameters referencing internal network addresses or cloud metadata endpoints as shown in the IOCs section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>vulnerability</category><category>web</category><category>python</category><category>unauthenticated</category></item></channel></rss>