Spring AI MCP Security: Unvalidated URL Fetching (SSRF)
🔗 CVE IDs covered (1)
📋 Description
Summary
The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.
This only affects installations with Dynamic Client Registration (DCR) enabled:
spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true
DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).
Workaround
When users need to perform DCR, they may provide their own McpOAuth2ClientManager. Both McpMetadataDiscoveryService and DynamicClientRegistrationService are also affected, if used, users should provide their own subclasses.
Alternatively, users can provide the default implementations of these classes with a RestClient that implements URL filtering through ClientHttpRequestInterceptor.
🎯 Affected products1
- maven/org.springaicommunity:mcp-client-security:< 0.1.9
🔗 References (5)
- https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3
- https://github.com/spring-ai-community/mcp-security/pull/68
- https://github.com/spring-ai-community/mcp-security/commit/e6b67d8a67cd7acbee6e4c0741c385d62e3ed576
- https://github.com/spring-ai-community/mcp-security/releases/tag/v0.1.9
- https://github.com/advisories/GHSA-qjp4-4jvr-xqg3