Submeter #780752: priyankark a11y-mcp 1.0.4 Server-Side Request Forgeryinformação

Títulopriyankark a11y-mcp 1.0.4 Server-Side Request Forgery
Descriçãopriyankark a11y-mcp contains a server-side request forgery (SSRF) vulnerability in src/index.js. The affected MCP request handlers pass an attacker-controlled URL to Puppeteer navigation logic without enforcing a strict destination allowlist or equivalent network restrictions. An attacker who can invoke the vulnerable handlers can cause the server to initiate requests to arbitrary internal or external resources, including loopback, private-address, link-local, or cloud metadata endpoints, subject to network reachability.
Fonte⚠️ https://github.com/wing3e/public_exp/issues/17
Utilizador
 BigW (UID 96422)
Submissão16/03/2026 11h47 (há 20 dias)
Moderação01/04/2026 15h12 (16 days later)
EstadoAceite
Entrada VulDB354655 [priyankark a11y-mcp até 1.0.5 src/index.js A11yServer Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!