GHSA-qjp4-4jvr-xqg3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qjp4-4jvr-xqg3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qjp4-4jvr-xqg3/GHSA-qjp4-4jvr-xqg3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-qjp4-4jvr-xqg3
- Aliases
- Published
- 2026-05-18T13:29:29Z
- Modified
- 2026-05-18T13:45:07.511291725Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Spring AI MCP Security: Unvalidated URL Fetching (SSRF)
- Details
-
Summary
The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.
This only affects installations with Dynamic Client Registration (DCR) enabled:
spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=trueDCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).
Workaround
When users need to perform DCR, they may provide their own
McpOAuth2ClientManager. BothMcpMetadataDiscoveryServiceandDynamicClientRegistrationServiceare also affected, if used, users should provide their own subclasses.Alternatively, users can provide the default implementations of these classes with a
RestClientthat implements URL filtering throughClientHttpRequestInterceptor. - Database specific
{ "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "github_reviewed_at": "2026-05-18T13:29:29Z", "severity": "HIGH", "nvd_published_at": null }- References
-
- https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3
- https://github.com/spring-ai-community/mcp-security/pull/68
- https://github.com/spring-ai-community/mcp-security/commit/e6b67d8a67cd7acbee6e4c0741c385d62e3ed576
- https://github.com/spring-ai-community/mcp-security
- https://github.com/spring-ai-community/mcp-security/releases/tag/v0.1.9
Affected packages
Maven / org.springaicommunity:mcp-client-security
Package
- Name
- org.springaicommunity:mcp-client-security
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springaicommunity/mcp-client-security
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.1.9