GitHub MCP Proxy Exposes Critical SSRF Flaw, Enabling Internal Network & Credential Exfiltration

A critical Server-Side Request Forgery (SSRF) vulnerability has been exposed within GitHub's MCP (Model Context Protocol) proxy, allowing user-created MCP servers to force the platform's backend to fetch arbitrary external URLs without validation. This flaw transforms the proxy into a direct conduit for attackers to probe internal services, cloud metadata endpoints, and link-local addresses, posing a severe risk to internal infrastructure.

The vulnerability is rooted in two core files: `app/api/mcp/proxy/[mcpId]/route.ts`, which directly uses an unvalidated `mcp.external_endpoint` in a `fetch` call, and `lib/services/user-mcps.ts`, which lacks any validation on the `externalEndpoint` parameter. This insecure design allows an attacker to register an MCP server pointing to sensitive internal IP ranges, including cloud metadata endpoints like 169.254.169.254. The risk escalates dramatically with the planned introduction of OAuth token injection into MCP requests, which would convert this SSRF flaw into a direct credential exfiltration vector.

Classified under OWASP's A10:2021 (SSRF) and A04:2021 (Insecure Design), this vulnerability represents a fundamental architectural weakness. The recommended mitigation involves implementing strict validation, including an allowlist of permitted domains and IPs, and proactively blocking access to internal, link-local, and cloud metadata address ranges to prevent unauthorized server-side requests and potential data breaches.