Overview
The is_ip_private() function in mcp-fetch-server versions <= 1.0.2 fails to properly validate private IP addresses, allowing Server-Side Request Forgery (SSRF) attacks that reach internal network services. CVSS 9.3.
Who Is Affected
Discovered by Snyk security researchers. Affects users of the mcp-fetch-server package, a popular MCP server for fetching web content on behalf of LLM agents.
Where It Exists
The vulnerability is in the IP validation logic of the mcp-fetch-server npm package. The is_ip_private() function has incomplete checks that allow bypasses using alternative IP representations.
When It Was Found
Disclosed in mid-2025. Fixed in mcp-fetch-server versions after 1.0.2.
How It Works
An attacker crafts a URL that points to an internal/private IP address using representation tricks that bypass the is_ip_private() check (e.g., decimal IP notation, IPv6 mappings, DNS rebinding). The MCP server fetches the URL, effectively making requests to internal network services that should be inaccessible from outside.
Impact
Attackers can scan and access internal network services, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), databases, and other infrastructure that trusts requests from the server's network. Can lead to credential theft from cloud metadata, internal data exfiltration, and lateral movement.
Mitigation
Update mcp-fetch-server to the latest version. Implement robust IP validation including all private ranges, loopback, link-local, and cloud metadata addresses. Use allowlist-based URL validation. Deploy network-level egress controls to prevent SSRF regardless of application-level checks.