Server-Side Request Forgery Vulnerability in api-lab-mcp

[BruceJqs]

Server-Side Request Forgery Vulnerability in api-lab-mcp

1) CNA / Submission Type

• Submission type: Report a vulnerability (CVE ID request)
• Reporter role: Independent security researcher
• Report date: March 17, 2026

2) Reporter Contact (fill before submit)

• Reporter name: BruceJin
• Reporter email: brucejin@zju.edu.cn
• Permission to share contact with vendor: Yes

3) Vendor / Product Identification

• Vendor: atototo
• Product: api-lab-mcp
• Repository: https://github.com/atototo/api-lab-mcp
• Affected component(s):
• src/mcp/http-server.ts
• src/mcp/server.ts
• src/core/services/ApiTestingService.ts
• src/mcp/tools/analyzeApiSpec.ts
• src/mcp/tools/generateTestScenarios.ts
• test_http_endpoint tool implementation in src/mcp/http-server.ts / src/mcp/server.ts

4) Vulnerability Type

• CWE: CWE-918 (Server-Side Request Forgery)
• Short title: Server-side request forgery in MCP/HTTP request handling

5) Affected Versions

• Confirmed affected: 0.2.1
• Suspected affected range: revisions containing the same request-to-sink flows listed below
• Fixed version: Not available at time of report (March 17, 2026)

6) Vulnerability Description

A server-side request forgery (SSRF) vulnerability (CWE-918) has been identified in api-lab-mcp, specifically within the MCP tools analyze_api_spec, generate_test_scenarios, and test_http_endpoint. An attacker with network access to the MCP/HTTP interface can supply maliciously crafted input through the source or url arguments, which flow unsanitized into outbound HTTP requests via fetch or axios. This allows the server to make arbitrary requests to internal services, cloud metadata endpoints, or other restricted destinations, potentially leading to unauthorized information disclosure and further compromise. Versions up to and including 0.2.1 are confirmed affected.

7) Technical Root Cause

1. js/request-forgery-from-request
   • Source: src/mcp/http-server.ts:154 (req.body)
   • Sink: src/mcp/tools/analyzeApiSpec.ts:55
   • Sink code: const response = await fetch(source);
2. js/request-forgery-from-request
   • Source: src/mcp/http-server.ts:154 (req.body)
   • Sink: src/mcp/tools/generateTestScenarios.ts:72
   • Sink code: const response = await fetch(source);
3. js/request-forgery-from-request
   • Source: src/mcp/http-server.ts:154 (req.body)
   • Sink: src/core/services/ApiTestingService.ts:100
   • Sink code: return await this.axiosInstance.request(config);

The vulnerable tool entry points are:

• test_http_endpoint via src/mcp/http-server.ts:227-287 / src/mcp/server.ts:231-243
• analyze_api_spec via src/mcp/http-server.ts:257-258 / src/mcp/server.ts:401-402
• generate_test_scenarios via src/mcp/http-server.ts:260-261 / src/mcp/server.ts:414-415

8) Attack Prerequisites

• Attacker can invoke the MCP/HTTP endpoint or tool handler that reaches the vulnerable sink.
• No effective runtime policy strips or constrains attacker-controlled values before sink usage.
• If SSRF applies: server has network egress to attacker-chosen or internal targets.

9) Proof of Concept / Reproduction Guidance

This proof of concept provides a concise, CVE-style reproduction example for the reported issue.

1. Reproduction request for analyze_api_spec

{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"analyze_api_spec","arguments":{"source":"http://127.0.0.1:8000"}}}

2. Reproduction request for generate_test_scenarios

{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"generate_test_scenarios","arguments":{"source":"http://127.0.0.1:8000"}}}

3. Reproduction request for test_http_endpoint

{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"test_http_endpoint","arguments":{"method":"GET","url":"http://127.0.0.1:8000"}}}

4. Validation

• Submit the request to the exposed MCP/HTTP interface of the affected deployment.
• Confirm that the api-lab-mcp process performs an outbound request to the attacker-controlled listener for each of the three tools above.

10) Security Impact

• Confidentiality: High when internal services or metadata endpoints are reachable.
• Integrity: Low to Medium depending on reachable internal write-capable APIs.
• Availability: Low to Medium via request fan-out or slow internal targets.
• Scope: Unchanged.

11) CVSS v3.1 Suggestion

• Suggested vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
• Suggested base score: 8.6 (High)
• Adjust for your deployment boundaries and egress restrictions.

12) Workarounds / Mitigations

• Enforce strict URL allowlists (scheme/host/port/path) for outbound requests.
• Block loopback, link-local, RFC1918, and metadata destinations after DNS resolution and redirect handling.
• Add authentication, authorization, logging, and rate limiting on sensitive MCP/HTTP handlers.

13) Recommended Fix

• Eliminate the request-to-sink data flow documented above.
• Add input schema validation at MCP/HTTP boundaries.
• Constrain source and url arguments for analyze_api_spec, generate_test_scenarios, and test_http_endpoint to approved destinations only.
• Add regression tests proving attacker-controlled values cannot reach sensitive sinks.
• Publish a maintainer security advisory once a patch is released.

14) References

• Repository: https://github.com/atototo/api-lab-mcp
• Reviewed source file: src/mcp/http-server.ts
• Reviewed source file: src/mcp/server.ts
• Reviewed source file: src/core/services/ApiTestingService.ts
• Reviewed source file: src/mcp/tools/analyzeApiSpec.ts
• Reviewed source file: src/mcp/tools/generateTestScenarios.ts
• CWE-918: https://cwe.mitre.org/data/definitions/918.html

15) Credits

• Discoverer: BruceJin
• Discovery method: Static analysis (CodeQL) plus repository source-code audit

16) Additional Notes for Form Mapping

• Audit verdict: Likely exploitable: attacker-controlled source / url parameters in analyze_api_spec, generate_test_scenarios, and test_http_endpoint can reach outbound request sinks.
• Dynamic exploit replay status: not completed in this batch run.
• Maintainer should validate release mapping before coordinated disclosure.

For furthermore information, please refer to BruceJqs/public_exp#6