Login Sign Up

CVE-2025-65513

7.5 HIGH
SSRF

📋 TL;DR

fetch-mcp v1.0.2 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to bypass private IP validation mechanisms. This enables unauthorized access to internal network resources that should be restricted. Systems using vulnerable versions of fetch-mcp are affected.

💻 Affected Systems

Products:
  • fetch-mcp
Versions: v1.0.2 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using fetch-mcp with user-controlled URL inputs is vulnerable.

📦 What is this software?

Fetch Mcp Server by Zcaceres

View all CVEs affecting Fetch Mcp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, exfiltrate data from internal systems, or pivot to attack other internal network resources.

🟠

Likely Case

Unauthorized access to internal APIs, metadata services, or other internal web resources accessible from the vulnerable server.

🟢

If Mitigated

Limited impact if network segmentation restricts internal resource access or if the application doesn't process user-controlled URLs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SSRF vulnerabilities are commonly exploited and public analysis is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.3 or later

Vendor Advisory: https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-65513.md

Restart Required: Yes

Instructions:

1. Update fetch-mcp to v1.0.3 or later using npm update fetch-mcp. 2. Restart any services using fetch-mcp. 3. Verify the update was successful.

🔧 Temporary Workarounds

Network-level restrictions

all

Implement network firewall rules to restrict outbound connections from the vulnerable server to only necessary external resources.

Input validation enhancement

all

Add additional URL validation in application code before passing URLs to fetch-mcp.

🧯 If You Can't Patch

  • Implement strict network segmentation to limit what internal resources the vulnerable server can access.
  • Deploy a web application firewall (WAF) with SSRF protection rules enabled.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list fetch-mcp to see if version is 1.0.2 or earlier.

Check Version:

npm list fetch-mcp | grep fetch-mcp

Verify Fix Applied:

Confirm fetch-mcp version is 1.0.3 or later using npm list fetch-mcp.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from the server to internal IP addresses
  • Requests to metadata services (169.254.169.254, etc.)
  • Failed connection attempts to restricted internal addresses

Network Indicators:

  • HTTP traffic from server to internal IP ranges not normally accessed
  • Requests to localhost or loopback addresses from server processes

SIEM Query:

source="web_server_logs" AND (dst_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.169.254)) AND user_agent="fetch-mcp"

📊 Metadata

CVE ID: CVE-2025-65513
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918
EPSS Score: 0.04% exploit probability (13th percentile)
Published: December 9, 2025
Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65513, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)