Submit #849289: AIAnytime Awesome-MCP-Server Latest Server-Side Request Forgeryinfo

TitleAIAnytime Awesome-MCP-Server Latest Server-Side Request Forgery
Description### Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the mcp-wiki MCP Server. The root cause is that the url parameter in the read_wikipedia_article tool is passed to Python’s requests.get() with only a minimal prefix check (url.startswith("http")), allowing the server process to send HTTP GET requests to arbitrary destinations — including internal services, cloud metadata endpoints, and attacker-controlled servers. The url parameter provided by the MCP client is consumed directly in server.py, where requests.get(url, timeout=10) is executed without domain allowlisting, IP-range restrictions, or redirect hardening. ### Details This MCP server exposes a tool intended to read Wikipedia content. However, an MCP client can provide any URL value to read_wikipedia_article. Because validation only checks that the string starts with http, the backend performs outbound requests to attacker-chosen targets. This enables SSRF through direct tool invocation (and potentially via prompt-influenced tool arguments in real agent workflows). #### Vulnerable code Version: Latest File: mcp-wiki/src/mcp_wiki/server.py @mcp.tool() def read_wikipedia_article(url: str) -> str: try: # Validate input if not url.startswith("http"): raise ValueError("URL must start with http or https.") response = requests.get(url, timeout=10) ... The only validation is a scheme-prefix check. There is no restriction on: destination hostname/domain, resolved IP range (e.g., loopback/private/link-local), destination port, redirect targets. As a result, attacker-controlled url input reaches the HTTP request sink directly. Data flow (source → sink) MCP client invokes tools/call for read_wikipedia_article with attacker-controlled url. MCP server receives url argument in read_wikipedia_article. Server executes requests.get(url, timeout=10). Outbound request is sent from server network context to attacker-selected destination. Malicious attackers can inject malicious parameters into tools/calls through methods such as indirect message injection or hijacking MCP clients, thereby causing SSRF attacks. ### Using MCP Inspector (Proof of Concept) Prerequisites 1. mcp-wiki dependencies installed. 2. MCP Inspector available (npx @modelcontextprotocol/inspector). 3. A request-capture endpoint (e.g., webhook.site) or a local HTTP listener. Steps 1. Start the server with Inspector (stdio): npx @modelcontextprotocol/inspector python -m mcp_wiki 2. In Inspector: 1)Connect 2)Open Tools 3)Select read_wikipedia_article 3. Use payload: https://webhook.site/3581c961-dc7c-4d41-a254-3b38487dbe46?SSRF20260605 4. On the webhook.site page, a new request appears confirming the SSRF ### Impact Server-Side Request Forgery (SSRF)
Source⚠️ https://github.com/AIAnytime/Awesome-MCP-Server/issues/34
User
 skywings (UID 98274)
Submission06/05/2026 11:16 (29 days ago)
Moderation07/04/2026 15:05 (29 days later)
StatusAccepted
VulDB entry376334 [AIAnytime Awesome-MCP-Server up to a884bb51bcd99e08e14fd712c749d55d9d9a13ab mcp-wiki/wiki-summary server.py url server-side request forgery]
Points20

Do you need the next level of professionalism?

Upgrade your account now!