Technical description
The mcp-security library for Spring AI (spring-ai-community/mcp-security), which provides OAuth-based security and authorisation for Model Context Protocol servers, fails to implement the mandatory SSRF mitigations required by the MCP security specification. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying whether targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled. CVSS score is 7.2 (High). Fixed in version 0.1.9.
Attack vector
An attacker controlling the OAuth metadata URL supplied during Dynamic Client Registration can direct the MCP security framework to make HTTP requests to internal network endpoints (SSRF), potentially exposing internal services, cloud metadata APIs (e.g., AWS IMDS), or internal admin panels. Exploitation requires that DCR is enabled in the deployment.
Affected systems
spring-ai-community/mcp-security library versions prior to 0.1.9 with Dynamic Client Registration (DCR) enabled. Any Spring AI application using mcp-security for OAuth authentication of MCP server connections is potentially affected.
Mitigation
Upgrade to mcp-security version 0.1.9 immediately. If immediate upgrade is not possible, disable Dynamic Client Registration (DCR) as a temporary workaround. Review network egress policies for MCP server processes to block access to cloud metadata endpoints and internal services.