| Title | JoeCastrom mcp-chat-studio 1.5.0 Server-Side Request Forgery |
|---|
| Description | The mcp-chat-studio application contains a server-side request forgery (SSRF) vulnerability because attacker-controlled input can reach outbound HTTP request functions without proper destination validation. Specifically, the /api/llm/models endpoint directly uses the req.query.base_url parameter in a fetch() call to {baseUrl}/api/tags (in server/routes/llm.js), and the workflow execution endpoint accepts a llmConfig object from the request body that later controls the auth_url or endpoint parameters passed to axios.post() calls in LLMClient.js (via server/routes/workflows.js). As a result, an unauthenticated attacker can coerce the server into issuing arbitrary HTTP requests to loopback addresses, RFC1918 private IP ranges, link‑local addresses, or cloud metadata services, enabling SSRF attacks that may expose sensitive internal resources. |
|---|
| Source | ⚠️ https://github.com/JoeCastrom/mcp-chat-studio/issues/4 |
|---|
| User | MidA (UID 96794) |
|---|
| Submission | 04/10/2026 10:04 (18 days ago) |
|---|
| Moderation | 04/26/2026 21:59 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 359746 [JoeCastrom mcp-chat-studio up to 1.5.0 LLM Models API server/routes/llm.js req.query.base_url server-side request forgery] |
|---|
| Points | 20 |
|---|