{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mcp-chat-studio/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7147"}],"_cs_exploited":false,"_cs_products":["mcp-chat-studio"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7147","ssrf","mcp-chat-studio"],"_cs_type":"advisory","_cs_vendors":["JoeCastrom"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability has been identified in JoeCastrom\u0026rsquo;s mcp-chat-studio, affecting versions up to 1.5.0. The vulnerability resides within the LLM Models API, specifically in the \u003ccode\u003eserver/routes/llm.js\u003c/code\u003e file. An attacker can remotely exploit this flaw by manipulating the \u003ccode\u003ereq.query.base_url\u003c/code\u003e argument. This allows the attacker to make arbitrary HTTP requests from the server, potentially leading to information disclosure, internal service access, or other malicious activities. The vulnerability is publicly known and actively discussed, increasing the risk of exploitation. The vendor was notified but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an mcp-chat-studio instance running a vulnerable version (\u0026lt;= 1.5.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/routes/llm.js\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker manipulates the \u003ccode\u003ereq.query.base_url\u003c/code\u003e parameter to point to an attacker-controlled server or an internal resource.\u003c/li\u003e\n\u003cli\u003eThe mcp-chat-studio server processes the request and, due to the SSRF vulnerability, makes an HTTP request to the URL specified in the \u003ccode\u003ereq.query.base_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the attacker controls the \u003ccode\u003ebase_url\u003c/code\u003e, they can intercept the request and potentially steal sensitive information.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003ebase_url\u003c/code\u003e points to an internal resource, the attacker may gain unauthorized access to internal services or data.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the response from the manipulated request to gather information about the internal network or services.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to further compromise the mcp-chat-studio instance or the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can allow an attacker to read sensitive data from internal services, potentially leading to credential theft or data exfiltration. It can also be used to pivot to other internal systems, causing a wider breach. The lack of vendor response increases the risk, as no patch or mitigation is currently available. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/routes/llm.js\u003c/code\u003e containing suspicious URLs in the \u003ccode\u003ereq.query.base_url\u003c/code\u003e parameter using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks by restricting access from the mcp-chat-studio server to internal resources.\u003c/li\u003e\n\u003cli\u003eSince no patch is available, consider applying a web application firewall (WAF) rule to filter requests to \u003ccode\u003e/routes/llm.js\u003c/code\u003e that contain potentially malicious URLs in the \u003ccode\u003ereq.query.base_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mcp-chat-studio-ssrf/","summary":"A server-side request forgery vulnerability exists in JoeCastrom mcp-chat-studio up to version 1.5.0 in the LLM Models API component, allowing remote attackers to manipulate the req.query.base_url argument and potentially conduct further attacks.","title":"JoeCastrom mcp-chat-studio Server-Side Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-mcp-chat-studio-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Mcp-Chat-Studio","version":"https://jsonfeed.org/version/1.1"}