Automated Security Finding
mcp-safeguard (MCP security scanner) v0.3.0 includes rule SS-001 that flags MCP tools with unconstrained URL parameters as potential SSRF vectors.
Why this matters for Supabase MCP
If any tool in this server:
- Accepts a
url, endpoint, or similar parameter
- Makes an outbound HTTP request with that URL
- Is deployed on cloud infrastructure with IAM/service account access
...it can be exploited via prompt injection to reach cloud metadata endpoints.
Additionally, the search_docs tool (if it fetches content from user-controlled sources) represents an indirect prompt injection vector — user-controlled data returned to LLM context.
This is a known vulnerability class: coordinated disclosure D003 (AIVSS 8.8) documented similar issues.
Request
Please review all URL-accepting parameters for SSRF hardening. The fix involves:
- Restricting to
https:// scheme
- Blocking RFC 1918, loopback, link-local IP ranges
- Revalidating redirect destinations
Scan your config: pip install mcp-safeguard && mcp-safeguard scan config.json
— Syed Anas Mohiuddin | mcp-safeguard
Automated Security Finding
mcp-safeguard (MCP security scanner) v0.3.0 includes rule SS-001 that flags MCP tools with unconstrained URL parameters as potential SSRF vectors.
Why this matters for Supabase MCP
If any tool in this server:
url,endpoint, or similar parameter...it can be exploited via prompt injection to reach cloud metadata endpoints.
Additionally, the
search_docstool (if it fetches content from user-controlled sources) represents an indirect prompt injection vector — user-controlled data returned to LLM context.This is a known vulnerability class: coordinated disclosure D003 (AIVSS 8.8) documented similar issues.
Request
Please review all URL-accepting parameters for SSRF hardening. The fix involves:
https://schemeScan your config:
pip install mcp-safeguard && mcp-safeguard scan config.json— Syed Anas Mohiuddin | mcp-safeguard