Skip to content

Security: automated SSRF scan (mcp-safeguard SS-001) — request URL parameter audit #291

Description

@SyedAnas01

Automated Security Finding

mcp-safeguard (MCP security scanner) v0.3.0 includes rule SS-001 that flags MCP tools with unconstrained URL parameters as potential SSRF vectors.

Why this matters for Supabase MCP

If any tool in this server:

  1. Accepts a url, endpoint, or similar parameter
  2. Makes an outbound HTTP request with that URL
  3. Is deployed on cloud infrastructure with IAM/service account access

...it can be exploited via prompt injection to reach cloud metadata endpoints.

Additionally, the search_docs tool (if it fetches content from user-controlled sources) represents an indirect prompt injection vector — user-controlled data returned to LLM context.

This is a known vulnerability class: coordinated disclosure D003 (AIVSS 8.8) documented similar issues.

Request

Please review all URL-accepting parameters for SSRF hardening. The fix involves:

  • Restricting to https:// scheme
  • Blocking RFC 1918, loopback, link-local IP ranges
  • Revalidating redirect destinations

Scan your config: pip install mcp-safeguard && mcp-safeguard scan config.json

— Syed Anas Mohiuddin | mcp-safeguard

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions