| शीर्षक | ahujasid blender-mcp Latest Server-Side Request Forgery |
|---|
| विवरण | Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the blender-mcp MCP Server. The root cause is that the zip_file_url parameter in the import_generated_asset_hunyuan tool is passed to Python's requests.get() with only a minimal URL-scheme check (^https?://), allowing the Blender process to send HTTP GET requests to arbitrary destinations — including internal services, cloud metadata endpoints, and attacker-controlled servers. The zip_file_url parameter provided by the MCP client is forwarded through the MCP Server (server.py) to the Blender addon (addon.py) via a TCP socket connection, where requests.get(zip_file_url, stream=True) is called without any domain or IP restriction.
Details
The MCP server is for the Blender 3D modeling application, allowing AI assistants to interact with Blender. An MCP Client can be instructed to provide an arbitrary URL as the zip_file_url parameter — for example via prompt injection when asked to import 3D assets. Below are the vulnerable code locations and methods for testing this vulnerability using MCP Inspector. Similarly, attackers can achieve this attack through methods such as indirect prompt injection. The following code leads to SSRF.
Vulnerable code
The vulnerability spans two files — the MCP Server tool definition (source) and the Blender addon handler (sink). The zip_file_url parameter flows through the entire chain with only a trivial protocol-prefix check.
Version: Latest
File: /src/blender_mcp/server.py
@mcp.tool()
def import_generated_asset_hunyuan(
ctx: Context,
name: str,
zip_file_url: str,
):
"""
Import the asset generated by Hunyuan3D after the generation task is completed.
Parameters:
- name: The name of the object in scene
- zip_file_url: The zip_file_url given in the generate model step.
Return if the asset has been imported successfully.
"""
try:
blender = get_blender_connection()
kwargs = {
"name": name
}
if zip_file_url:
kwargs["zip_file_url"] = zip_file_url
result = blender.send_command("import_generated_asset_hunyuan", kwargs)
return result
except Exception as e:
logger.error(f"Error generating Hunyuan3D task: {str(e)}")
return f"Error generating Hunyuan3D task: {str(e)}"
In the import_generated_asset_hunyuan tool, the zip_file_url parameter is required and provided directly by the MCP client. This parameter is forwarded to the Blender addon via send_command("import_generated_asset_hunyuan", {"zip_file_url": zip_file_url, ...}) without any validation, thus enabling SSRF.
Version: Latest
File: /addon.py
def import_generated_asset_hunyuan_ai(self, name: str , zip_file_url: str):
if not zip_file_url:
return {"error": "Zip file not found"}
# Validate URL
if not re.match(r'^https?://', zip_file_url, re.IGNORECASE):
return {"error": "Invalid URL format. Must start with http:// or https://"}
# Create a temporary directory
temp_dir = tempfile.mkdtemp(prefix="tencent_obj_")
zip_file_path = osp.join(temp_dir, "model.zip")
obj_file_path = osp.join(temp_dir, "model.obj")
mtl_file_path = osp.join(temp_dir, "model.mtl")
try:
# Download ZIP file
zip_response = requests.get(zip_file_url, stream=True)
zip_response.raise_for_status()
with open(zip_file_path, "wb") as f:
for chunk in zip_response.iter_content(chunk_size=8192):
f.write(chunk)
# Unzip the ZIP
with zipfile.ZipFile(zip_file_path, "r") as zip_ref:
zip_ref.extractall(temp_dir)
In the import_generated_asset_hunyuan_ai method of the addon, the only validation is re.match(r'^https?://', zip_file_url), which merely checks that the URL starts with http:// or https://. It does not restrict the target domain, IP address, or port. The URL is then passed directly to requests.get(), allowing the Blender process to make HTTP requests to any reachable endpoint.
In the source code of the tool import_generated_asset_hunyuan, we found a call to send_command("import_generated_asset_hunyuan", ...) which routes to the import_generated_asset_hunyuan_ai handler in the addon. This means that this tool directly introduces the security risk.
Prerequisite: Enable Hunyuan3D in Blender
The import_generated_asset_hunyuan command is only registered when the Hunyuan3D integration is enabled in the addon. No API key is required — only the checkbox must be checked.
In the 3D View sidebar (press N), find the "BlenderMCP" tab
Check "Use Tencent Hunyuan 3D model generation"
Ensure the MCP Server is running (click "Start MCP Server" if needed) |
|---|
| स्रोत | ⚠️ https://github.com/ahujasid/blender-mcp/issues/203 |
|---|
| उपयोगकर्ता | skywings (UID 98274) |
|---|
| सबमिशन | 15/05/2026 05:47 AM (20 दिन पहले) |
|---|
| संयम | 02/06/2026 05:25 PM (18 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367957 [ahujasid blender-mcp तक 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b ZIP File server.py requests.get zip_file_url अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|