Attack Chain

1. An attacker crafts a malicious prompt that instructs the LLM-based MCP client to call either the auth_fetch or download_media tool.
2. The malicious prompt includes a URL targeting an internal resource, such as a cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>), a loopback service (e.g., http://127.0.0.1:6379), or an internal admin page (e.g., http://192.168.0.1).
3. If the auth_fetch tool is called, the url is passed directly to page.goto function in src/browser.ts, causing the Playwright browser to navigate to the specified URL without validation.
4. The auth_fetch tool extracts the DOM content of the fetched page using the extractContent function and returns it to the attacker.
5. If the download_media tool is called, the provided URLs are iterated, and ctx.request.get(url) is called for each URL in src/tools.ts, fetching the content without validation.
6. The response body from the fetched URL is written to a file in the user-specified output_dir using fs.writeFileSync in src/tools.ts.
7. The attacker retrieves the fetched data from either the auth_fetch tool’s response or from the files written to disk by the download_media tool.
8. The attacker obtains sensitive information, such as cloud credentials, internal service configurations, or other confidential data.

Impact

Successful exploitation can lead to the theft of cloud credentials, allowing attackers to gain unauthorized access to cloud resources. Internal service enumeration can reveal valuable information about the network infrastructure and potential attack vectors. Access to loopback services can expose sensitive data or allow for further exploitation of vulnerable applications. The disk-write side channel in download_media can enable data exfiltration to shared directories, potentially impacting co-tenant processes. The scope of impact depends on the privileges and access controls of the MCP server environment, the sensitivity of accessible internal resources, and the extent to which the LLM can be prompted to expose these vulnerabilities.

Recommendation

• Implement URL validation in both the auth_fetch and download_media tools to prevent SSRF attacks, using the assertSafeUrl function described in the advisory. Apply the validation at tools.ts:236 and browser.ts:53.
• Restrict the output_dir parameter in the download_media tool to a fixed root directory to prevent writing files to arbitrary locations.
• Monitor network connections originating from the MCP server for connections to internal IP addresses (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) using a network monitoring solution.
• Deploy the Sigma rule “Detect auth-fetch-mcp download_media Disk Write to Unusual Directory” to detect potential exfiltration attempts via unusual output directories.
• Block the IOCs listed in the IOC table at your network perimeter to prevent the exploitation of the SSRF vulnerability.