| Название | kLOsk adloop 0.9.0 Server-Side Request Forgery |
|---|
| Описание | A vulnerability was found in kLOsk/adloop 0.9.0. The issue affects the URL validation logic in src/adloop/ads/write.py, specifically the _validate_urls() function used by draft tools that accept a final_url parameter.
The affected MCP tools accept a caller-controlled final_url and perform a reachability check before creating or drafting Google Ads resources. The URL is passed to urllib.request.urlopen() without enforcing an http/https-only scheme allowlist and without filtering loopback, link-local, private, reserved, or cloud-metadata destinations. As a result, an MCP client that can invoke the affected draft tool can cause the server process to issue requests to attacker-chosen internal or local endpoints.
The confirmed impact is blind Server-Side Request Forgery. The response body is not returned to the caller, but the server-side request is issued from the MCP server's network position. This can be used to reach loopback services, internal network services, or cloud metadata endpoints such as x.x.x.x, depending on the deployment environment.
The same issue also allows non-HTTP schemes such as file:// to reach urllib.request.urlopen(). In the public reproduction, file:// URLs were not rejected. Existing local files and missing local files produced distinguishable error responses, creating a local-file existence oracle. This report does not claim full local file content disclosure through file://, only that the scheme is accepted and produces distinguishable behavior.
The check runs during the preview or validation path before any authenticated Google Ads API call, so the issue can be triggered without valid Google Ads credentials once the MCP server is running.
Affected component: src/adloop/ads/write.py
Affected function: _validate_urls()
Affected tool path: draft_responsive_search_ad and other draft or sitelink tools that pass final_url to _validate_urls()
Affected parameter: final_url
Affected package version: 0.9.0
CWE: CWE-918 / CWE-20 / CWE-610
CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Suggested severity: Medium
Suggested remediation: validate the scheme and resolved destination before calling urllib.request.urlopen(). Only allow http and https URLs. Reject file, ftp, and other non-HTTP schemes. Resolve hostnames before use and reject loopback, link-local, private, reserved, multicast, and cloud-metadata addresses. Apply the same checks to redirects and to the HTTP-405 GET fallback. |
|---|
| Источник | ⚠️ https://github.com/kLOsk/adloop/issues/41 |
|---|
| Пользователь | Mcfly_Zhang (UID 98877) |
|---|
| Представление | 10.06.2026 02:30 (1 месяц назад) |
|---|
| Модерация | 12.07.2026 14:06 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 377854 [kLOsk adloop до 0.9.0 src/adloop/ads/write.py _validate_urls final_url эскалация привилегий] |
|---|
| Баллы | 20 |
|---|