제출 #851437: aerostackdev aerostack-mcp Latest Server-Side Request Forgery정보

제목aerostackdev aerostack-mcp Latest Server-Side Request Forgery
설명### Summary A Server-Side Request Forgery (SSRF) risk exists in the `upload_media` tool of `mcp-whatsapp`. The root cause is that user-controlled `media_url` is fetched server-side without sufficient destination validation (host/IP/port/redirect controls). This allows an attacker to trigger outbound requests from the MCP server network context to attacker-chosen targets. ### Details `upload_media` accepts a URL and downloads it server-side before uploading the content to Meta. In the current implementation, `media_url` is directly passed into `fetch()`: case 'upload_media': { validateRequired(args, ['media_url', 'media_type']); // Fetch the media binary from the provided URL const mediaRes = await fetch(args.media_url as string); if (!mediaRes.ok) { throw new Error(`Failed to fetch media from URL: ${mediaRes.status} ${mediaRes.statusText}`); } const mediaBuffer = await mediaRes.arrayBuffer(); const filename = (args.media_url as string).split('/').pop() ?? 'file'; const formData = new FormData(); formData.append('messaging_product', 'whatsapp'); formData.append('type', args.media_type as string); formData.append('file', new Blob([mediaBuffer], { type: args.media_type as string }), filename); const uploadRes = await fetch(`${META_BASE}/${phoneNumberId}/media`, { method: 'POST', headers: { Authorization: `Bearer ${token}` }, body: formData, }); Validation currently checks required fields, but does not enforce: - strict scheme policy (e.g., HTTPS-only), - hostname/domain allowlist, - DNS-resolved IP restrictions (private/loopback/link-local/metadata ranges), - destination port restrictions, - redirect target validation. As a result, attacker-controlled input reaches an HTTP request sink directly. ### Data Flow (source → sink) 1. MCP client calls `tools/call` for `upload_media` with attacker-controlled `media_url`. 2. `mcp-whatsapp` receives `media_url`. 3. Server executes `fetch(media_url)`. 4. Outbound request is sent from server context to attacker-selected destination. ### Impact SSRF
원천⚠️ https://github.com/aerostackdev/aerostack-mcp/issues/3
사용자
 skywings (UID 98274)
제출2026. 06. 08. AM 11:41 (1 월 ago)
모더레이션2026. 07. 09. AM 07:21 (1 month later)
상태수락
VulDB 항목377115 [aerostackdev aerostack-mcp 까지 6315dfde7df0a15aaf743f88d91347115e09ba23 mcp-whatsapp upload_media media_url 권한 상승]
포인트들20

Do you need the next level of professionalism?

Upgrade your account now!