| शीर्षक | wonderwhy-er DesktopCommanderMCP 0.2.37 Server-Side Request Forgery |
|---|
| विवरण | Summary
The read_file tool in DesktopCommanderMCP is vulnerable to Server-Side Request Forgery (SSRF) when isUrl is set to true. The user-supplied path parameter is passed directly to Node.js's built-in fetch() without any validation of the destination host, IP range, or protocol. This allows an attacker to make the MCP server issue arbitrary HTTP requests to internal network services, cloud metadata endpoints, or any other host reachable from the server process — and retrieve the full response content.
Detail
DesktopCommanderMCP provides AI programming assistants (such as Claude, Gemini, and Cursor) with file system and terminal operations via the Model Context Protocol. The read_file tool supports fetching remote content by accepting a URL in the path parameter when isUrl is set to true. The server then fetches the URL using Node.js's native fetch() and returns the full response body to the MCP client.
The schema definition for read_file accepts any string as path with no format or host restrictions:
Version: 0.2.37
File: src/tools/schemas.ts (lines 48-56)
export const ReadFileArgsSchema = z.object({
path: z.string(), // ← accepts any value, including internal URLs
isUrl: z.boolean().optional().default(false),
offset: z.number().optional().default(0),
length: z.number().optional().default(1000),
sheet: z.string().optional(),
range: z.string().optional(),
options: z.record(z.any()).optional()
});
The handler resolves this unconditionally to a URL fetch when isUrl: true:
Version: 0.2.37
File: src/handlers/filesystem-handlers.ts (lines 103-108)
// Resolve to absolute path for local files (not URLs) so "Open in folder" works
const resolvedFilePath = parsed.isUrl
? parsed.path // ← URL used as-is, no validation
: resolveAbsolutePath(parsed.path);
const fileResult = await readFile(parsed.path, options);
Which dispatches to readFileFromUrl() without any intermediate check:
Version: 0.2.37
File: src/tools/filesystem.ts (lines 450-453)
const { isUrl, offset, length, sheet, range } = options ?? {};
return isUrl
? readFileFromUrl(filePath) // ← no validation before this call
: readFileFromDisk(filePath, { offset, length, sheet, range });
And readFileFromUrl() calls fetch() directly on the user-supplied string:
Version: 0.2.37
File: src/tools/filesystem.ts (lines 276-287)
export async function readFileFromUrl(url: string): Promise<FileResult> {
// Import the MIME type utilities
const { isImageFile } = await import('./mime-types.js');
// Set up fetch with timeout
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), FILE_OPERATION_TIMEOUTS.URL_FETCH);FILE_OPERATION_TIMEOUTS.URL_FETCH);
try {
const response = await fetch(url, { // ← unvalidated fetch
signal: controller.signal
});
There is no validation at any point in this call chain:
· No allowlist of permitted domains or IP ranges
· No blocklist of private/internal IP ranges (127.x, 10.x, 172.16-31.x, 192.168.x, 169.254.x)
· No restriction on URL scheme (only http:/https: should be permitted)
· No limit on HTTP redirects (the server may follow redirects into internal space)
The complete response body is returned to the MCP client, meaning any data accessible to the server process — including cloud instance metadata, internal APIs, and admin interfaces — is directly exfiltrated to the Agent.
Clarified: This attack does not require OS-level shell access. The practically feasible triggering path is: an attacker performs a prompt injection into an AI agent integrated with DesktopCommanderMCP, instructing the agent to invoke read_file with a target internal URL. The agent, having no awareness of SSRF risks, will comply. No direct MCP client access or filesystem access by the attacker is required beyond the ability to influence the agent's prompts (e.g., via crafted file content, web pages, or emails the agent is asked to process). |
|---|
| स्रोत | ⚠️ https://github.com/wonderwhy-er/DesktopCommanderMCP/issues/410 |
|---|
| उपयोगकर्ता | skywings (UID 98274) |
|---|
| सबमिशन | 15/05/2026 09:06 AM (20 दिन पहले) |
|---|
| संयम | 02/06/2026 05:40 PM (18 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367959 [wonderwhy-er DesktopCommanderMCP 0.2.37 read_file src/tools/filesystem.ts readFileFromUrl url अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|