| Название | mastergo-design mastergo-magic-mcp 0.2.0 Server-Side Request Forgery |
|---|
| Описание | A vulnerability was found in mastergo-design/mastergo-magic-mcp. The issue affects the MCP tool mcp__getComponentLink and the parameter url.
The mcp__getComponentLink tool accepts a caller-controlled url string and forwards it directly to httpUtilInstance.request({ method: "GET", url }). The response body is returned to the MCP caller as text. The schema is a bare z.string() and does not enforce a scheme allow-list, host allow-list, internal address filtering, or validation that the URL came from a trusted MasterGo backend response.
An MCP client that can invoke this tool may cause the MCP server process to make GET requests to arbitrary URLs reachable from the server host. Because the response body is returned to the caller, this is reflected SSRF rather than blind SSRF. Depending on deployment, this may expose localhost services, internal network services, or cloud metadata endpoints.
Affected package: @mastergo/magic-mcp
Affected tool: mcp__getComponentLink
Affected parameter: url
Affected file: src/tools/get-component-link.ts
CWE: CWE-918 / CWE-200 / CWE-20
CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Suggested severity: Medium
Suggested remediation: validate url before making the request. Only allow expected schemes and trusted MasterGo documentation hosts, or require the URL to match a value previously returned by the trusted componentDocumentLinks API. Reject loopback, private, link-local, multicast, reserved, and cloud metadata addresses. Revalidate redirect targets before following redirects. |
|---|
| Источник | ⚠️ https://github.com/mastergo-design/mastergo-magic-mcp/issues/89 |
|---|
| Пользователь | Mcfly_Zhang (UID 98877) |
|---|
| Представление | 12.06.2026 04:16 (1 месяц назад) |
|---|
| Модерация | 14.07.2026 17:40 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 378329 [mastergo-design mastergo-magic-mcp до 0.2.0 mcp__getComponentLink get-component-link.ts z.string url эскалация привилегий] |
|---|
| Баллы | 20 |
|---|