Enviar #801895: AlejandroArciniegas mcp-data-vis 1.0.0 Server-Side Request Forgeryinformación

TítuloAlejandroArciniegas mcp-data-vis 1.0.0 Server-Side Request Forgery
DescripciónAlejandroArciniegas mcp-data-vis contains a server-side request forgery (SSRF) vulnerability in src/servers/web-scraper/server.js. Multiple MCP tools accept an attacker-controlled URL and pass it to outbound HTTP request logic implemented with axios(). Although the code attempts to block some local destinations, the validation is incomplete and does not comprehensively deny private, link-local, or otherwise sensitive address space. An attacker who can invoke the vulnerable handlers can cause the server to send requests to arbitrary internal or external resources that remain reachable after the flawed validation checks.
Fuente⚠️ https://github.com/AlejandroArciniegas/mcp-data-vis/issues/1
Usuario
 MidA (UID 96794)
Sumisión2026-04-10 09:59 (hace 2 meses)
Moderación2026-04-26 21:56 (16 days later)
EstadoAceptado
Entrada de VulDB359745 [AlejandroArciniegas mcp-data-vis hasta de5a51525a69822290eaee569a1ab447b490746d HTTP Request server.js axios escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!