Overview
The microsoft_docs_fetch tool in the Microsoft Learn MCP Server lacks URL validation, allowing requests to any host instead of restricting to microsoft.com domains. This enables SSRF attacks through the MCP server.
Who Is Affected
Discovered by Tenable security research team. Affects users of the Microsoft Learn MCP server who use the docs_fetch tool in their agent workflows.
Where It Exists
The vulnerability is in the microsoft_docs_fetch tool implementation, which is intended to fetch documentation from Microsoft Learn but accepts arbitrary URLs without domain validation.
When It Was Found
Published as TRA-2025-36 in July 2025 by Tenable.
How It Works
The microsoft_docs_fetch tool accepts a URL parameter intended to fetch Microsoft documentation pages. However, no validation ensures the URL points to a microsoft.com domain. An attacker (or a prompt injection payload) can direct the tool to fetch arbitrary URLs, including internal network resources, cloud metadata endpoints, or attacker-controlled servers.
Impact
SSRF allows access to internal network services, cloud infrastructure metadata, and can be used to exfiltrate data through the MCP server. Since the request originates from the server, it may bypass firewall rules and access controls designed to block external requests.
Mitigation
Implement strict URL allowlisting in the microsoft_docs_fetch tool to only permit requests to *.microsoft.com and *.azure.com domains. Add network-level egress controls. Validate URL schemes (only allow https). Block requests to private IP ranges and cloud metadata endpoints.