Summary
The SDK creates httpx.AsyncClient with follow_redirects=True but no redirect validation. A malicious MCP server can redirect requests to internal network addresses (http://localhost, http://169.254.169.254, http://metadata.google.internal), enabling SSRF attacks.
Location
src/mcp/shared/_httpx_utils.py — the shared httpx client factory.
Proposed Fix
- Default: Block HTTPS-to-HTTP downgrades on redirects
- Provide configurable
RedirectPolicy presets:
BLOCK_SCHEME_DOWNGRADE (default) — block HTTPS→HTTP redirectsENFORCE_HTTPS (strict) — only allow HTTPS destinationsALLOW_ALL (legacy) — current behavior, no restrictions
- Consider also blocking redirects to private/link-local IP ranges
Summary
The SDK creates
httpx.AsyncClientwithfollow_redirects=Truebut no redirect validation. A malicious MCP server can redirect requests to internal network addresses (http://localhost,http://169.254.169.254,http://metadata.google.internal), enabling SSRF attacks.Location
src/mcp/shared/_httpx_utils.py— the shared httpx client factory.Proposed Fix
RedirectPolicypresets:BLOCK_SCHEME_DOWNGRADE(default) — block HTTPS→HTTP redirectsENFORCE_HTTPS(strict) — only allow HTTPS destinationsALLOW_ALL(legacy) — current behavior, no restrictions