| Title | AIAnytime Awesome-MCP-Server Latest Server-Side Request Forgery |
|---|
| Description | ### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the wiki-summary MCP Server implementation (streamlit as an MCP Host/ollama_server.py). The root cause is that the url parameter in the summarize_wikipedia_article tool is passed to Python’s requests.get() with only a minimal prefix check (url.startswith("http")), allowing the server process to send HTTP GET requests to arbitrary destinations — including internal services, cloud metadata endpoints, and attacker-controlled servers.
The url parameter provided by the MCP client is consumed directly in ollama_server.py, where requests.get(url, timeout=10) is executed without domain allowlisting, IP-range restrictions, port restrictions, or redirect hardening.
### Details
This MCP server exposes summarize_wikipedia_article, intended to fetch and summarize Wikipedia content. However, an MCP client can supply any URL value as input. Because validation only checks that the input begins with http, the backend performs outbound requests to attacker-controlled targets.
This enables SSRF through direct tool invocation (and potentially via prompt-influenced tool arguments in real agent workflows).
#### Vulnerable Code
Version: Latest
File: streamlit as an MCP Host/ollama_server.py
@mcp.tool()
def summarize_wikipedia_article(url: str) -> str:
try:
# Validate input
if not url.startswith("http"):
raise ValueError("URL must start with http or https.")
# Fetch the article
response = requests.get(url, timeout=10)
...
The only validation is a scheme-prefix check. There is no restriction on:
· destination hostname/domain,
· resolved IP range (e.g., loopback/private/link-local),
· destination port,
· redirect targets.
As a result, attacker-controlled url input reaches the HTTP request sink directly.
#### Data Flow (source -> sink)
1. MCP client invokes tools/call for summarize_wikipedia_article with attacker-controlled url.
2. MCP server receives url argument in summarize_wikipedia_article.
3. Server executes requests.get(url, timeout=10).
4. Outbound request is sent from server network context to attacker-selected destination.
Malicious attackers can inject malicious tool parameters through methods such as indirect prompt/message injection or hijacking MCP client behavior, thereby triggering SSRF.
### Using MCP Inspector (Proof of Concept)
#### Prerequisites
Dependencies installed for streamlit as an MCP Host (including ollama).
MCP Inspector available (npx @modelcontextprotocol/inspector).
A request-capture endpoint (e.g., webhook.site) or local HTTP listener.
#### Steps
1. Start the vulnerable server:
python "streamlit as an MCP Host/ollama_server.py"
2. Start Inspector:
npx @modelcontextprotocol/inspector
3. In Inspector:
1)Select transport SSE
2)Connect to http://localhost:8000/sse
3)Open Tools
4)Select summarize_wikipedia_article
4. Use payload:
https://webhook.site/3581c961-dc7c-4d41-a254-3b38487dbe46?SSRF20260605
5. On the webhook.site page, a new request appears, confirming SSRF.
### Impact
Server-Side Request Forgery (SSRF).
|
|---|
| Source | ⚠️ https://github.com/AIAnytime/Awesome-MCP-Server/issues/35 |
|---|
| User | skywings (UID 98274) |
|---|
| Submission | 06/05/2026 11:41 (29 days ago) |
|---|
| Moderation | 07/04/2026 15:05 (29 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 376334 [AIAnytime Awesome-MCP-Server up to a884bb51bcd99e08e14fd712c749d55d9d9a13ab mcp-wiki/wiki-summary server.py url server-side request forgery] |
|---|
| Points | 0 |
|---|