| Title | AIAnytime Awesome-MCP-Server Latest Server-Side Request Forgery |
|---|
| Description | ### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the mcp-wiki MCP Server. The root cause is that the url parameter in the read_wikipedia_article tool is passed to Python’s requests.get() with only a minimal prefix check (url.startswith("http")), allowing the server process to send HTTP GET requests to arbitrary destinations — including internal services, cloud metadata endpoints, and attacker-controlled servers.
The url parameter provided by the MCP client is consumed directly in server.py, where requests.get(url, timeout=10) is executed without domain allowlisting, IP-range restrictions, or redirect hardening.
### Details
This MCP server exposes a tool intended to read Wikipedia content. However, an MCP client can provide any URL value to read_wikipedia_article.
Because validation only checks that the string starts with http, the backend performs outbound requests to attacker-chosen targets.
This enables SSRF through direct tool invocation (and potentially via prompt-influenced tool arguments in real agent workflows).
#### Vulnerable code
Version: Latest
File: mcp-wiki/src/mcp_wiki/server.py
@mcp.tool()
def read_wikipedia_article(url: str) -> str:
try:
# Validate input
if not url.startswith("http"):
raise ValueError("URL must start with http or https.")
response = requests.get(url, timeout=10)
...
The only validation is a scheme-prefix check. There is no restriction on:
destination hostname/domain,
resolved IP range (e.g., loopback/private/link-local),
destination port,
redirect targets.
As a result, attacker-controlled url input reaches the HTTP request sink directly.
Data flow (source → sink)
MCP client invokes tools/call for read_wikipedia_article with attacker-controlled url.
MCP server receives url argument in read_wikipedia_article.
Server executes requests.get(url, timeout=10).
Outbound request is sent from server network context to attacker-selected destination.
Malicious attackers can inject malicious parameters into tools/calls through methods such as indirect message injection or hijacking MCP clients, thereby causing SSRF attacks.
### Using MCP Inspector (Proof of Concept)
Prerequisites
1. mcp-wiki dependencies installed.
2. MCP Inspector available (npx @modelcontextprotocol/inspector).
3. A request-capture endpoint (e.g., webhook.site) or a local HTTP listener.
Steps
1. Start the server with Inspector (stdio):
npx @modelcontextprotocol/inspector python -m mcp_wiki
2. In Inspector:
1)Connect
2)Open Tools
3)Select read_wikipedia_article
3. Use payload:
https://webhook.site/3581c961-dc7c-4d41-a254-3b38487dbe46?SSRF20260605
4. On the webhook.site page, a new request appears confirming the SSRF
### Impact
Server-Side Request Forgery (SSRF) |
|---|
| Source | ⚠️ https://github.com/AIAnytime/Awesome-MCP-Server/issues/34 |
|---|
| User | skywings (UID 98274) |
|---|
| Submission | 06/05/2026 11:16 (29 days ago) |
|---|
| Moderation | 07/04/2026 15:05 (29 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376334 [AIAnytime Awesome-MCP-Server up to a884bb51bcd99e08e14fd712c749d55d9d9a13ab mcp-wiki/wiki-summary server.py url server-side request forgery] |
|---|
| Points | 20 |
|---|