Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65513

CVE-2025-65513: Fetch Mcp Server SSRF Vulnerability

CVE-2025-65513 is a Server-Side Request Forgery vulnerability in Zcaceres Fetch Mcp Server that allows attackers to bypass IP validation and access internal networks. This article covers technical details, impact, and fixes.

Updated:

CVE-2025-65513 Overview

CVE-2025-65513 is a Server-Side Request Forgery (SSRF) vulnerability affecting fetch-mcp versions 1.0.2 and earlier. The flaw allows remote attackers to bypass private IP address validation and reach internal network resources through the Model Context Protocol (MCP) fetch server maintained by zcaceres. Because MCP servers often run inside developer workstations or AI agent infrastructure, exploitation can expose cloud metadata services, internal APIs, and other non-public assets. The issue is tracked under CWE-918: Server-Side Request Forgery.

Critical Impact

Attackers can issue HTTP requests from the MCP server to internal hosts, enabling reconnaissance and access to sensitive internal services that should not be reachable from the public network.

Affected Products

  • zcaceres/fetch-mcp versions 1.0.2 and earlier
  • MCP-enabled AI agent deployments embedding fetch_mcp_server
  • Development environments exposing the fetch MCP server on a network-reachable interface

Discovery Timeline

  • 2025-12-09 - CVE-2025-65513 published to NVD
  • 2026-01-02 - Last updated in NVD database

Technical Details for CVE-2025-65513

Vulnerability Analysis

The fetch-mcp server provides an MCP tool that retrieves remote URLs on behalf of an AI client. The server is intended to block requests targeting private address space, but its validation logic fails to cover every path that resolves to an internal host. Attackers supply a URL that passes the filter yet resolves to an RFC1918 address, the loopback interface, or a cloud metadata endpoint such as 169.254.169.254. The server then issues the outbound HTTP request and returns the response body to the caller.

The impact is confidentiality loss without authentication or user interaction. Successful exploitation reveals internal service banners, configuration endpoints, and metadata credentials reachable from the host running the MCP server.

Root Cause

The root cause is incomplete validation of the target URL before the HTTP fetch executes. Common SSRF bypass techniques that defeat the filter include DNS rebinding, decimal or hexadecimal IP encodings, IPv6-mapped IPv4 addresses, and HTTP redirect chains that move from a public host to a private destination. The validation runs once on the supplied string rather than on the final resolved socket address.

Attack Vector

An attacker with access to an MCP client connected to a vulnerable fetch-mcp instance crafts a fetch request whose URL bypasses the private IP check. The MCP server resolves the hostname, connects to an internal address, and returns the response. No credentials are required because MCP fetch tools typically accept arbitrary URLs from the connected model or user prompt. Refer to the GitHub vulnerability analysis for technical details.

Detection Methods for CVE-2025-65513

Indicators of Compromise

  • Outbound HTTP requests from the host running fetch-mcp to RFC1918 ranges, 127.0.0.0/8, or 169.254.169.254
  • MCP tool invocations containing URLs with encoded IP literals, unusual hostnames, or redirect chains
  • Unexpected responses from cloud metadata endpoints logged in application or proxy telemetry

Detection Strategies

  • Inspect MCP server logs for fetch requests whose resolved destination differs from the supplied hostname
  • Correlate process telemetry from the fetch-mcp Node process with outbound network connections to internal subnets
  • Alert on DNS resolutions that return private addresses for externally supplied hostnames

Monitoring Recommendations

  • Forward MCP server stdout, stderr, and HTTP client logs to a central log store for retention and search
  • Apply egress firewall rules that block the MCP server host from reaching internal management interfaces and cloud metadata IPs
  • Monitor for newly introduced MCP servers in developer environments to inventory exposure to this class of bug

How to Mitigate CVE-2025-65513

Immediate Actions Required

  • Upgrade fetch-mcp to a release later than 1.0.2 once the maintainer publishes a fix
  • Restrict the network egress of any host running fetch-mcp to allow only the destinations the workflow actually requires
  • Block the cloud metadata IP 169.254.169.254 at the host firewall for any system running MCP fetch tools

Patch Information

No vendor advisory URL is listed in the NVD record at publication. Review the GitHub vulnerability analysis and the Notion security document for the latest remediation status, then track the upstream zcaceres/fetch-mcp repository for a patched release.

Workarounds

  • Run fetch-mcp inside a network namespace or container with no route to internal subnets or metadata endpoints
  • Wrap the MCP server behind an authenticated egress proxy that enforces an allowlist of permitted destination hostnames
  • Disable the fetch MCP tool in AI client configurations where remote URL retrieval is not required
bash
# Configuration example: block metadata and private ranges at the host firewall
sudo iptables -A OUTPUT -d 169.254.169.254 -j REJECT
sudo iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
sudo iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.