| Titre | AlejandroArciniegas mcp-data-vis 1.0.0 Server-Side Request Forgery |
|---|
| Description | AlejandroArciniegas mcp-data-vis contains a server-side request forgery (SSRF) vulnerability in src/servers/web-scraper/server.js. Multiple MCP tools accept an attacker-controlled URL and pass it to outbound HTTP request logic implemented with axios(). Although the code attempts to block some local destinations, the validation is incomplete and does not comprehensively deny private, link-local, or otherwise sensitive address space. An attacker who can invoke the vulnerable handlers can cause the server to send requests to arbitrary internal or external resources that remain reachable after the flawed validation checks. |
|---|
| La source | ⚠️ https://github.com/AlejandroArciniegas/mcp-data-vis/issues/1 |
|---|
| Utilisateur | MidA (UID 96794) |
|---|
| Soumission | 10/04/2026 09:59 (il y a 2 mois) |
|---|
| Modérer | 26/04/2026 21:56 (16 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 359745 [AlejandroArciniegas mcp-data-vis HTTP Request server.js axios élévation de privilèges] |
|---|
| Points | 20 |
|---|