| 제목 | atototo api-lab-mcp 0.2.1 Server-Side Request Forgery |
|---|
| 설명 | A server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in api-lab-mcp, specifically within the MCP tools analyze_api_spec, generate_test_scenarios, and test_http_endpoint. An attacker with network access to the MCP/HTTP interface can supply maliciously crafted input through the source or url arguments, which flow unsanitized into outbound HTTP requests via fetch or axios. This allows the server to make arbitrary requests to internal services, cloud metadata endpoints, or other restricted destinations, potentially leading to unauthorized information disclosure and further compromise. Versions up to and including 0.2.1 are confirmed affected. |
|---|
| 원천 | ⚠️ https://github.com/atototo/api-lab-mcp/issues/4 |
|---|
| 사용자 | BruceJin (UID 96538) |
|---|
| 제출 | 2026. 03. 26. AM 06:53 (15 날 ago) |
|---|
| 모더레이션 | 2026. 04. 08. PM 07:10 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 356288 [atototo api-lab-mcp 까지 0.2.1 HTTP Interface src/mcp/http-server.ts source/url 권한 상승] |
|---|
| 포인트들 | 20 |
|---|