VDB
KO
MEDIUM 4.7

GHSA-pr64-jmmf-jp54

ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation)

Details

# Security Advisory: SSRF in remote MCP server authentication discovery

**Severity:** High. **CWE:** CWE-918. **Affected:** ToolHive through the latest release v0.29.3 and current `main` (HEAD b672d82f, 2026-06-12; re-verified 2026-06-14). `FetchResourceMetadata` and the discovery clients remain unguarded; no commits to `pkg/auth/discovery` or `pkg/auth/remote` address this. Originally identified at commit 05f11b53; all line references below are against HEAD b672d82f.

## Summary ToolHive's remote MCP server authentication discovery issues outbound HTTP requests to URLs the remote MCP server controls, with no private-IP or loopback guard and no restriction on redirects. ToolHive's core security model treats every MCP server as untrusted: the README states it "runs every MCP server in an isolated container" with "no local credentials," and it ships an egress proxy for network isolation. This discovery code runs host-side, in the ToolHive process, before and outside that per-server container sandbox. A malicious or compromised remote MCP server, added by a user through ToolHive's normal remote-server workflow, can therefore drive the ToolHive host itself to fetch arbitrary internal URLs, including cloud instance metadata, which bypasses the isolation ToolHive exists to provide. The user never selects a malicious target; they connect to a server they intend to use, and the attack is carried entirely in that server's discovery response.

ToolHive already establishes this boundary in code. `ValidateRemoteURL` (cmd/thv-operator/pkg/validation/url_validation.go:61) rejects internal IPs and known internal hostnames for the configured remote URL, and `IsPrivateIP` (pkg/networking/utilities.go:105) blocks RFC1918, link-local, `169.254.0.0/16`, and loopback for outbound requests. The discovery clients below never call either guard, and the attacker-supplied resource_metadata URL and its redirect target are validated by neither. This is a deviation from the project's intended behavior, not a configuration choice by the operator.

## The discovery clients are explicitly marked as trusted The three outbound requests in this finding carry the maintainers' own gosec suppressions, each with a rationale comment asserting the URL is trusted:

- `discovery.go:165` -- `resp, err := client.Do(req) // #nosec G704 -- targetURI is the MCP server endpoint URL from internal config` - `discovery.go:219` -- `resp, err := client.Do(req) // #nosec G704 -- uri is built from the MCP server endpoint for auth discovery` - `discovery.go:931` -- `resp, err := client.Do(req) // #nosec G704 -- URL is the OIDC well-known metadata endpoint`

gosec's G704 is its SSRF taint-analysis rule: it flags exactly this pattern, an HTTP request whose URL flows from external input. The suppressions dismiss it on the premise that the URL comes "from internal config" or is "the MCP server endpoint." That premise is the bug. The targetURI is the remote MCP server endpoint, and the resource_metadata URL at line 931 comes straight from the server's `WWW-Authenticate` header (parsed by `ParseWWWAuthenticate`, discovery.go:293; `resource_metadata` extracted at discovery.go:315). Under ToolHive's own threat model the remote MCP server is untrusted, so "the MCP server endpoint" is attacker-controlled input, not internal config. A parallel cluster of `//nolint:gosec // G706` (log-injection) suppressions on the same discovery responses (discovery.go:212, 221, 240, 268, 273, 280) shows the same data being treated as trusted throughout this code path. The maintainers saw the taint-analysis warning on these requests and waved it through on a trust assumption that contradicts the project's design.

## Relationship to existing reports This is distinct from issue #5135 (DCR resolver SSRF). #5135 is scoped to the DCR registration client, which already refuses redirects: `client.CheckRedirect = errDCRRedirectRefused` (pkg/auth/dcr/resolver.go:1281), with an in-code comment explaining that the wrapping client "refuses to follow HTTP redirects ... never for a redirected request whose URL the upstream chose" (resolver.go:1240). The discovery sinks below set no `CheckRedirect` and no private-IP guard, and are reached by a different path (the `WWW-Authenticate` resource_metadata discovery and the OIDC issuer discovery). The project demonstrably understands that redirect-following to an upstream-chosen URL is dangerous and guarded the DCR client against it; it left the discovery clients open. Fixing #5135 does not address them.

This is also distinct from GHSA-pph6-vfjv-vpjw (published 2026-06-04), which reports that the `IsPrivateIP` guard itself misses the IPv6 NAT64 ranges and so requires a NAT64/DNS64 gateway to reach internal addresses. The finding here does not depend on that guard's completeness: the discovery clients never call `IsPrivateIP` at all, so the host fetches `169.254.169.254` directly on any deployment, with no NAT64 dependency, and additionally follows redirects. The NAT64 fix to `IsPrivateIP` does not protect these clients because they do not use the guard.

## Details 1. `remote.Handler.Authenticate` calls `discovery.DetectAuthenticationFromServer` (pkg/auth/remote/handler.go:62), which issues a GET to the remote URL (client built at discovery.go:93 with no `CheckRedirect`; request at discovery.go:165). 2. A `401` with `WWW-Authenticate: Bearer ... resource_metadata="<url>"` is parsed by `ParseWWWAuthenticate` (discovery.go:293), and the server-supplied `resource_metadata` value is stored (discovery.go:315). 3. `tryDiscoverFromResourceMetadata` calls `FetchResourceMetadata` (handler.go:411, discovery.go:899). That client is built with no `CheckRedirect` and no private-IP dialer guard (discovery.go:916) and issues `client.Do(GET <attacker url>)` (discovery.go:931). `FetchResourceMetadata` requires the initial metadata URL to use HTTPS (discovery.go:911), but that check runs once on the supplied URL only; the client then follows the `302 Location` to any scheme and any address with no re-validation. 4. The OIDC issuer discovery path (`.well-known/openid-configuration`, `.well-known/oauth-authorization-server`) and the well-known existence probe (discovery.go:219) use the same unguarded client pattern.

## Proof of concept (reproduced; recording available) The attacker is the remote MCP server, not a URL the victim chooses. The victim connects to a server they intend to use (from a registry, a shared config, or a previously-legitimate endpoint that was later compromised) and the entire attack lives in that server's discovery response.

1. A remote MCP server the victim has added responds to discovery with `401 WWW-Authenticate: Bearer realm="x", resource_metadata="https://<server>/.well-known/oauth-protected-resource"` (HTTPS, so it passes the discovery.go:911 scheme check), and returns `302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>` for that metadata URL. In the recording a loopback mock instance-metadata service stands in for `169.254.169.254` to avoid touching a real cloud account; the ToolHive code path is identical on a cloud instance, where the same redirect reaches the real metadata endpoint with no extra precondition. 2. The victim runs that server the normal way: `thv run <remote-mcp-server> --remote-auth`. ToolHive performs the auth discovery automatically; the victim never targets an internal address. 3. Observed: ToolHive's host process fetches the server-supplied resource_metadata URL and follows the `302` to the internal metadata path with no address filtering. The mock instance-metadata service received the request from ToolHive's Go HTTP client (`Go-http-client/1.1`) and returned a `Metadata-Flavor` header with IAM credentials, confirming the host follows the server-controlled redirect to an internal endpoint. The proven primitive is "the ToolHive host issues a GET to a server-controlled internal address and follows redirects with no filtering." On an instance with AWS IMDSv1 enabled that primitive returns IAM credentials directly, since IMDSv1 answers a plain GET. IMDSv2 (token via `PUT` plus a header) and GCP (`Metadata-Flavor` header) are not reachable by a redirect-following GET, so on those the reachable impact is the broader internal-GET surface: internal-only HTTP services, IMDSv1 where still enabled, link-local and RFC1918 endpoints, and reachability or error oracles.

## Impact A remote MCP server forces the host to issue arbitrary internal GET requests with redirect following and no address filtering. The host-side reach is the proven impact: internal-only services not exposed to the network, link-local and RFC1918 endpoints, and reachability or error oracles. On instances with AWS IMDSv1 enabled the request to `169.254.169.254` returns IAM credentials directly. Because the discovery runs in the host process and not in the per-server container, this is exactly the reach that the MCP server's own container sandbox is designed to deny.

## Suggested fix Apply the DCR client's hardening to the discovery clients: set `CheckRedirect` to reject cross-host or scheme-downgrade redirects, and wrap `DialContext` with the project's existing `IsPrivateIP` guard (pkg/networking/utilities.go:105) for `FetchResourceMetadata`, `DetectAuthenticationFromServer`, and the issuer-discovery client. Re-validating the redirect target, not only the initial URL, is the load-bearing part: the discovery.go:911 HTTPS check is bypassed by a `302` from an HTTPS metadata URL to an internal `http` address.

## Verification status The resource_metadata path was dynamically reproduced with a recording (against commit 05f11b53; the sink code at HEAD b672d82f is source-identical, with the unguarded clients and the three `#nosec G704` suppressions confirmed present). The OIDC issuer discovery path is confirmed by source review against the same unguarded client and is in scope of the same fix.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/stacklok/toolhive
Introduced in: 0 Fixed in: 0.31.0
Fix go get github.com/stacklok/toolhive@v0.31.0

References