Srikanthramu

**Name of the Vulnerable Software and Affected Versions** mcp-security versions prior to 0.1.9 **Description** The mcp-security framework fails to implement mandatory Server-Side Request Forgery (SSRF) mitigations—a flaw where an attacker can induce the server to make requests to an unintended location—as outlined in the Model Context Protocol (MCP) security specifications. The framework processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This issue specifically affects installations where Dynamic Client Registration (DCR) is enabled via the `spring.ai.mcp.client.authorization.dynamic-client-registration.enabled` property. DCR does not validate URLs exposed by MCP Servers, such as the protected resource metadata URL and authorization server URL, nor does it validate OAuth2 endpoints from Authorization Servers. **Recommendations** Update to version 0.1.9. As a temporary workaround, provide a custom `McpOAuth2ClientManager` when performing DCR. Provide custom subclasses for `McpMetadataDiscoveryService` and `DynamicClientRegistrationService` if they are in use. Implement URL filtering by providing the default implementations of these classes with a `RestClient` that utilizes a `ClientHttpRequestInterceptor`.

**Name of the Vulnerable Software and Affected Versions** MCP Java SDK versions prior to 1.0.1 MCP Java SDK versions prior to 1.1.1 **Description** The MCP Java SDK contains a hardcoded wildcard Cross-Origin Resource Sharing (CORS) configuration, specifically setting `Access-Control-Allow-Origin` to '*'. This allows cross-origin reads, potentially exposing sensitive information like session IDs via Server-Sent Events (SSE). An attacker-controlled web page can instruct a victim's browser to open a GET request to an internal server endpoint. Because of the wildcard CORS setting, the attacker's page can receive event data, including the session ID, and then use the victim's browser to relay a POST request to that endpoint. The Python SDK does not exhibit this behavior, maintaining the browser's default same-origin policy. The vulnerable code is located in `HttpServletSseServerTransportProvider.java` at line 289 and `HttpServletStreamableServerTransportProvider.java` at line 525. **Recommendations** For versions prior to 1.0.1, server implementers should add a CORS filter at the servlet filter or Spring Security layer to manage cross-origin access. For versions prior to 1.1.1, server implementers should add a CORS filter at the servlet filter or Spring Security layer to manage cross-origin access.

**Name of the Vulnerable Software and Affected Versions** MCP Ruby SDK versions prior to 0.9.2 **Description** The Ruby SDK for Model Context Protocol servers and clients contains a session hijacking issue in its `streamable http transport.rb` implementation. An attacker obtaining a valid session ID can hijack a victim's Server-Sent Events (SSE) stream, intercepting all real-time data. The issue stems from a lack of session-to-user identity binding, ownership validation when establishing SSE connections, and protection against multiple simultaneous connections to the same session. Specifically, the `store stream for session` function overwrites existing streams for a session ID, allowing an attacker to replace a legitimate user's stream with their own. This allows the attacker to receive all subsequent data intended for the victim. The Python SDK includes protection against this by rejecting duplicate SSE connections. **Recommendations** Versions prior to 0.9.2 should be updated to version 0.9.2 or later.