| 标题 | AstrBotDevs AstrBot 4.25.2 Server-Side Request Forgery (CWE-918) |
|---|
| 描述 | # Technical Details
An authenticated SSRF exists in the MCP connection testing workflow implemented by `ToolsRoute.test_mcp_connection()` in `astrbot/dashboard/routes/tools.py`, `validate_mcp_stdio_config()` in `astrbot/core/agent/mcp_client.py`, and `_quick_test_mcp_connection()` in `astrbot/core/provider/func_tool_manager.py` of AstrBot.
The application fails to validate user-supplied MCP URL targets before performing backend requests. URL-based configurations bypass stdio validation entirely, and the provider test path issues direct `aiohttp` requests to the supplied destination. No SSRF-specific protections were identified for scheme, hostname, resolved IP, loopback, private ranges, metadata endpoints, or redirects.
# Vulnerable Code
File: `astrbot/dashboard/routes/tools.py`
Method: `ToolsRoute.test_mcp_connection()`
Why: The route accepts attacker-controlled `mcp_server_config`, forwards it to `test_mcp_server_connection()`, and URL-based configs pass through `validate_mcp_stdio_config()` because that function returns immediately when `url` is present. `_quick_test_mcp_connection()` then performs outbound `POST`/`GET` requests directly to `cfg["url"]`.
# Reproduction
1. Start an HTTP listener reachable from the AstrBot host.
2. Authenticate to the AstrBot dashboard.
3. Send `POST /api/tools/mcp/test` with JSON containing `mcp_server_config.url` set to an attacker-controlled endpoint such as `http://127.0.0.1:19001/mcp-test`.
4. Observe backend callbacks to the listener, even if the MCP handshake later fails.
5. Send a control request without the `url` field and confirm no listener callbacks occur.
# Impact
- Authenticated users can coerce the AstrBot server into making arbitrary outbound HTTP requests.
- The vulnerability enables loopback probing, internal service discovery, and access attempts against internal-only endpoints reachable from the host. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/b68732c140fb11d844b214cf2db50a5a |
|---|
| 用户 | Eric-a (UID 96353) |
|---|
| 提交 | 2026-06-01 10時25分 (1 月前) |
|---|
| 管理 | 2026-07-11 14時42分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 377808 [AstrBotDevs AstrBot 直到 4.25.2 MCP Test Endpoint tools.py ToolsRoute.test_mcp_connection mcp_server_config.url 权限提升] |
|---|
| 积分 | 20 |
|---|