MCP glossary

Security

SSRF

Learn what SSRF means for hosted MCP tools, website-to-MCP generation, private network blocking, and safe URL handling.

Definition

SSRF, or server-side request forgery, is a vulnerability where an attacker makes a server request internal, private, or sensitive network targets. For hosted MCP runtimes, SSRF matters whenever a tool fetches URLs or follows user-controlled links.

How Astrail Uses It

Astrail blocks local and private-network targets in website-to-MCP and runtime fetch paths. This prevents generated tools from being used to probe metadata services, loopback addresses, internal dashboards, or tenant-private services.

Implementation Checklist

Resolve hostnames before fetch and block private, loopback, link-local, and metadata IP ranges.

Re-check redirects instead of trusting only the first URL.

Bound crawl depth, response size, and request time.

Log blocked destinations without returning sensitive infrastructure details.

FAQ

Why is SSRF a risk for MCP?

Agents can request tool calls with URLs or source documents. If the server fetches those URLs unchecked, an attacker can turn the hosted runtime into a network probe.

Does auth fully solve SSRF?

No. Auth tells you who called the tool. Network policy still needs to decide which destinations the server is allowed to reach.