The OAuth discoverer follows URLs from server metadata (authorization_servers, registration_endpoint, token_endpoint) without any validation. An attacker controlling an MCP server's .well-known responses can point these URLs at internal services (e.g. https://169.254.169.254/metadata, https://10.0.0.1/...), causing the gem to make requests to private/internal networks.
Attacker can use his own MCP server to dig/look at local infra.
https://en.wikipedia.org/wiki/Server-side_request_forgery
Affected code
In discoverer.rb, after fetching resource metadata and server metadata, the gem follows http_client.get(url) URLs without checking:
- That they use HTTPS (should be the right default)
- That they don't resolve to private/internal IP ranges (should be the right default)
Suggested fix
Validate derived URLs before following them. Options:
- Reject any non-HTTPS endpoint
- Resolve hostnames and reject responses pointing to private/internal ranges by default, with an opt-out for local development.
Workaround
Users can validate URLs in their storage adapter's set_resource_metadata and set_server_metadata methods before persisting, which prevents the gem from following malicious URLs. This is what we're currently doing.
The OAuth discoverer follows URLs from server metadata (
authorization_servers,registration_endpoint,token_endpoint) without any validation. An attacker controlling an MCP server's.well-knownresponses can point these URLs at internal services (e.g.https://169.254.169.254/metadata,https://10.0.0.1/...), causing the gem to make requests to private/internal networks.Attacker can use his own MCP server to dig/look at local infra.
https://en.wikipedia.org/wiki/Server-side_request_forgery
Affected code
In
discoverer.rb, after fetching resource metadata and server metadata, the gem followshttp_client.get(url)URLs without checking:Suggested fix
Validate derived URLs before following them. Options:
Workaround
Users can validate URLs in their storage adapter's
set_resource_metadataandset_server_metadatamethods before persisting, which prevents the gem from following malicious URLs. This is what we're currently doing.