{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/auth-fetch-mcp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["auth-fetch-mcp (\u003c= 3.0.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","disk-exfiltration","auth-fetch-mcp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e package is vulnerable to server-side request forgery (SSRF) and disk exfiltration. The \u003ccode\u003edownload_media\u003c/code\u003e and \u003ccode\u003eauth_fetch\u003c/code\u003e tools within the package accept arbitrary URLs without proper validation, allowing a malicious MCP client to force the server to fetch internal resources, cloud metadata endpoints, or loopback addresses. This vulnerability can be exploited to steal cloud credentials, enumerate internal services, and access sensitive information. The \u003ccode\u003edownload_media\u003c/code\u003e tool further exacerbates the risk by writing the fetched content to a user-controlled output directory, enabling data exfiltration. This vulnerability affects versions 3.0.0 and earlier of the \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e package.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt that instructs the LLM-based MCP client to call either the \u003ccode\u003eauth_fetch\u003c/code\u003e or \u003ccode\u003edownload_media\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eThe malicious prompt includes a URL targeting an internal resource, such as a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u0026lt;role\u0026gt;\u003c/code\u003e), a loopback service (e.g., \u003ccode\u003ehttp://127.0.0.1:6379\u003c/code\u003e), or an internal admin page (e.g., \u003ccode\u003ehttp://192.168.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003eauth_fetch\u003c/code\u003e tool is called, the \u003ccode\u003eurl\u003c/code\u003e is passed directly to \u003ccode\u003epage.goto\u003c/code\u003e function in \u003ccode\u003esrc/browser.ts\u003c/code\u003e, causing the Playwright browser to navigate to the specified URL without validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eauth_fetch\u003c/code\u003e tool extracts the DOM content of the fetched page using the \u003ccode\u003eextractContent\u003c/code\u003e function and returns it to the attacker.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003edownload_media\u003c/code\u003e tool is called, the provided URLs are iterated, and \u003ccode\u003ectx.request.get(url)\u003c/code\u003e is called for each URL in \u003ccode\u003esrc/tools.ts\u003c/code\u003e, fetching the content without validation.\u003c/li\u003e\n\u003cli\u003eThe response body from the fetched URL is written to a file in the user-specified \u003ccode\u003eoutput_dir\u003c/code\u003e using \u003ccode\u003efs.writeFileSync\u003c/code\u003e in \u003ccode\u003esrc/tools.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the fetched data from either the \u003ccode\u003eauth_fetch\u003c/code\u003e tool\u0026rsquo;s response or from the files written to disk by the \u003ccode\u003edownload_media\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains sensitive information, such as cloud credentials, internal service configurations, or other confidential data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of cloud credentials, allowing attackers to gain unauthorized access to cloud resources. Internal service enumeration can reveal valuable information about the network infrastructure and potential attack vectors. Access to loopback services can expose sensitive data or allow for further exploitation of vulnerable applications. The disk-write side channel in \u003ccode\u003edownload_media\u003c/code\u003e can enable data exfiltration to shared directories, potentially impacting co-tenant processes. The scope of impact depends on the privileges and access controls of the MCP server environment, the sensitivity of accessible internal resources, and the extent to which the LLM can be prompted to expose these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement URL validation in both the \u003ccode\u003eauth_fetch\u003c/code\u003e and \u003ccode\u003edownload_media\u003c/code\u003e tools to prevent SSRF attacks, using the \u003ccode\u003eassertSafeUrl\u003c/code\u003e function described in the advisory. Apply the validation at \u003ccode\u003etools.ts:236\u003c/code\u003e and \u003ccode\u003ebrowser.ts:53\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict the \u003ccode\u003eoutput_dir\u003c/code\u003e parameter in the \u003ccode\u003edownload_media\u003c/code\u003e tool to a fixed root directory to prevent writing files to arbitrary locations.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the MCP server for connections to internal IP addresses (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect auth-fetch-mcp download_media Disk Write to Unusual Directory\u0026rdquo; to detect potential exfiltration attempts via unusual output directories.\u003c/li\u003e\n\u003cli\u003eBlock the IOCs listed in the IOC table at your network perimeter to prevent the exploitation of the SSRF vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:48:49Z","date_published":"2026-05-19T15:48:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-auth-fetch-mcp-ssrf/","summary":"The auth-fetch-mcp package is vulnerable to server-side request forgery (SSRF) and disk exfiltration due to unvalidated URLs in the `download_media` and `auth_fetch` tools, allowing an attacker to fetch internal resources, cloud metadata, or loopback addresses, potentially leading to credential theft, internal service enumeration, and sensitive information disclosure.","title":"auth-fetch-mcp SSRF and Disk Exfiltration Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-auth-fetch-mcp-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Auth-Fetch-Mcp","version":"https://jsonfeed.org/version/1.1"}