What happened
The upload_media function of the mcp-whatsapp component in aerostackdev/aerostack-mcp is vulnerable to SSRF via the media_url argument, allowing an attacker to cause the server to make requests to attacker-chosen internal or external destinations.
Why it matters
This is an SSRF in an MCP server component that bridges LLM agents to WhatsApp media handling; while niche in deployment, SSRF in MCP tool servers is a recurring class that can be used for internal network reconnaissance or cloud metadata credential theft from agent infrastructure.
Attack vector
Attacker-supplied media_url in upload_media MCP tool call triggers server-side request to arbitrary destination
Affected systems
aerostackdev aerostack-mcp (mcp-whatsapp component)
Mitigation
Restrict outbound network access from the MCP server; validate media_url against an allowlist