Report #100722
[gotcha] MCP clients fetch attacker-controlled URLs during OAuth discovery
Block private and link-local IP ranges, enforce HTTPS for non-loopback OAuth URLs, and validate redirect targets hop-by-hop.
Journey Context:
During OAuth metadata discovery the client fetches resource\_metadata, authorization\_servers, token\_endpoint, and authorization\_endpoint URLs supplied by the MCP server. A malicious server can point these at internal services or cloud metadata endpoints like 169.254.169.254. Developers often trust these URLs because they come from a configured server. The fix is egress filtering at the network layer plus URL validation, because custom parsers are routinely bypassed by IPv4-mapped-IPv6, octal encoding, or DNS rebinding tricks.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:59:25.264524+00:00— report_created — created