CVE-2025-65513 Overview
CVE-2025-65513 is a Server-Side Request Forgery (SSRF) vulnerability affecting fetch-mcp versions 1.0.2 and earlier. The flaw allows remote attackers to bypass private IP address validation and reach internal network resources through the Model Context Protocol (MCP) fetch server maintained by zcaceres. Because MCP servers often run inside developer workstations or AI agent infrastructure, exploitation can expose cloud metadata services, internal APIs, and other non-public assets. The issue is tracked under CWE-918: Server-Side Request Forgery.
Critical Impact
Attackers can issue HTTP requests from the MCP server to internal hosts, enabling reconnaissance and access to sensitive internal services that should not be reachable from the public network.
Affected Products
- zcaceres/fetch-mcp versions 1.0.2 and earlier
- MCP-enabled AI agent deployments embedding fetch_mcp_server
- Development environments exposing the fetch MCP server on a network-reachable interface
Discovery Timeline
- 2025-12-09 - CVE-2025-65513 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-65513
Vulnerability Analysis
The fetch-mcp server provides an MCP tool that retrieves remote URLs on behalf of an AI client. The server is intended to block requests targeting private address space, but its validation logic fails to cover every path that resolves to an internal host. Attackers supply a URL that passes the filter yet resolves to an RFC1918 address, the loopback interface, or a cloud metadata endpoint such as 169.254.169.254. The server then issues the outbound HTTP request and returns the response body to the caller.
The impact is confidentiality loss without authentication or user interaction. Successful exploitation reveals internal service banners, configuration endpoints, and metadata credentials reachable from the host running the MCP server.
Root Cause
The root cause is incomplete validation of the target URL before the HTTP fetch executes. Common SSRF bypass techniques that defeat the filter include DNS rebinding, decimal or hexadecimal IP encodings, IPv6-mapped IPv4 addresses, and HTTP redirect chains that move from a public host to a private destination. The validation runs once on the supplied string rather than on the final resolved socket address.
Attack Vector
An attacker with access to an MCP client connected to a vulnerable fetch-mcp instance crafts a fetch request whose URL bypasses the private IP check. The MCP server resolves the hostname, connects to an internal address, and returns the response. No credentials are required because MCP fetch tools typically accept arbitrary URLs from the connected model or user prompt. Refer to the GitHub vulnerability analysis for technical details.
Detection Methods for CVE-2025-65513
Indicators of Compromise
- Outbound HTTP requests from the host running fetch-mcp to RFC1918 ranges, 127.0.0.0/8, or 169.254.169.254
- MCP tool invocations containing URLs with encoded IP literals, unusual hostnames, or redirect chains
- Unexpected responses from cloud metadata endpoints logged in application or proxy telemetry
Detection Strategies
- Inspect MCP server logs for fetch requests whose resolved destination differs from the supplied hostname
- Correlate process telemetry from the fetch-mcp Node process with outbound network connections to internal subnets
- Alert on DNS resolutions that return private addresses for externally supplied hostnames
Monitoring Recommendations
- Forward MCP server stdout, stderr, and HTTP client logs to a central log store for retention and search
- Apply egress firewall rules that block the MCP server host from reaching internal management interfaces and cloud metadata IPs
- Monitor for newly introduced MCP servers in developer environments to inventory exposure to this class of bug
How to Mitigate CVE-2025-65513
Immediate Actions Required
- Upgrade fetch-mcp to a release later than 1.0.2 once the maintainer publishes a fix
- Restrict the network egress of any host running fetch-mcp to allow only the destinations the workflow actually requires
- Block the cloud metadata IP 169.254.169.254 at the host firewall for any system running MCP fetch tools
Patch Information
No vendor advisory URL is listed in the NVD record at publication. Review the GitHub vulnerability analysis and the Notion security document for the latest remediation status, then track the upstream zcaceres/fetch-mcp repository for a patched release.
Workarounds
- Run fetch-mcp inside a network namespace or container with no route to internal subnets or metadata endpoints
- Wrap the MCP server behind an authenticated egress proxy that enforces an allowlist of permitted destination hostnames
- Disable the fetch MCP tool in AI client configurations where remote URL retrieval is not required
# Configuration example: block metadata and private ranges at the host firewall
sudo iptables -A OUTPUT -d 169.254.169.254 -j REJECT
sudo iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
sudo iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

