al-ice.ai

Spring AI MCP — SSRF via Dynamic Client Registration

Security by al-ice.ai Editorial

AI relevance: Spring AI's MCP client uses untrusted OAuth metadata URLs to construct outbound HTTP requests during dynamic client registration, turning every vulnerable MCP host into a confused-deputy SSRF proxy that can hit internal services and cloud IMDS endpoints.

  • The mcp-security library (Spring AI MCP client) makes HTTP requests to URLs consumed from MCP servers and authorization servers without any validation or filtering.
  • When spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true, the McpMetadataDiscoveryService and DynamicClientRegistrationService blindly follow URLs from untrusted sources.
  • An attacker hosting a malicious MCP server or rogue authorization server returns crafted metadata containing internal URLs (e.g., http://169.254.169.254/latest/meta-data/ for AWS IMDS).
  • The victim MCP client then sends HTTP requests to those internal addresses, bypassing network firewalls and exposing cloud credentials, internal admin panels, and private services.
  • The attack is fully automated: it piggybacks on the standard OAuth2 discovery flow, requiring no special configuration on the attacker side beyond hosting a malicious endpoint.
  • This is yet another confused-deputy pattern in MCP's OAuth architecture — joining a growing list of SSRF-class vulnerabilities across the MCP ecosystem.
  • The only official workaround is to disable DCR or implement a custom ClientHttpRequestInterceptor with allowlist-based URL filtering.

Why it matters

MCP deployments are proliferating in enterprise environments with cloud credentials and internal network access. Every MCP client with DCR enabled becomes a potential SSRF relay. This is not a hypothetical risk — cloud IMDS metadata theft from SSRF is a well-documented attack path to full account compromise.

What to do

  • Disable DCR if not required: set spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=false.
  • Implement URL validation via a custom ClientHttpRequestInterceptor that blocks RFC 1918, link-local, and IMDS ranges.
  • Apply egress controls on MCP client hosts to restrict outbound connections to known external domains.
  • Await vendor patch — a fixed mcp-security version was expected.

Sources