SSRF in MCP servers: what it is and how to prevent it
Server-Side Request Forgery, or SSRF, is when an attacker convinces your server to make a request on their behalf to somewhere they should not be able to reach. In the MCP world it shows up the moment you build a tool that fetches a URL. A 2026 review found that 36.7 percent of public MCP servers were SSRF-vulnerable.
Why MCP makes this worse
An MCP tool that takes a URL and fetches it is handing the fetch target to a language model, which
can be steered by prompt injection. So the attacker does not even need direct access. They poison some
content the model reads, and the model calls your fetch_url tool with a URL of their
choosing. If your server fetches it naively, it becomes a proxy.
What they reach for
http://169.254.169.254/the cloud metadata endpoint, which can leak credentials on AWS, GCP, and others.http://localhostand127.0.0.1internal admin panels and databases.- Private ranges like
10.x,192.168.x, and172.16-31.xanything inside your network. - A DNS name that resolves to a public IP on the first check and a private IP on the second (DNS rebinding).
How to build a safe fetch
A safe outbound fetch layers several defenses. Skipping any one of them leaves a hole.
- Scheme allowlist. https only by default. Reject file, gopher, and friends.
- Block dangerous hosts. localhost,
*.internal, and the metadata hostnames. - Block private IP literals. loopback, private ranges, link-local, CGNAT, and multicast, for both IPv4 and IPv6.
- Re-resolve and re-check. Resolve the hostname, then validate the resolved IP, to defeat DNS rebinding.
- Do not follow redirects. A redirect is the classic way to bounce from an allowed host to an internal one.
- Cap size and time. A response size limit and a request timeout.
function assertSafeUrl(raw) {
const u = new URL(raw);
if (u.protocol !== "https:") throw new Error("https only");
const host = u.hostname.toLowerCase();
if (host === "localhost" || host.endsWith(".internal")) throw new Error("blocked host");
if (isIpLiteral(host) && isPrivateIp(host)) throw new Error("blocked IP");
return u; // then re-resolve + re-check before fetch, no redirects
}
Check your config for SSRF-prone servers (free)
mcp-audit flags remote servers without auth, cleartext http, and other issues that pair with SSRF risk. Local and zero-dependency.
mcp-audit on GitHubGet a server with SSRF-safe fetch already built
MCP Forge Kit ships a hardened safe-fetch utility that does all of the above, plus auth, rate limiting, validation, tests, and CI.
Get MCP Forge Kit, €39Related: How to add authentication to your MCP server · The MCP Server Security Checklist