An MCP Tool Response Just Accessed localhost
Client-side SSRF in MCP happens when a tool response contains internal URLs (like 127.0.0.1 or cloud metadata endpoints), tricking your AI agent into accessing services on your private network.
Client-side Server-Side Request Forgery (SSRF) is an MCP attack where tool responses include references to private IP addresses or internal endpoints, causing your AI agent to make follow-up requests to your internal network infrastructure.
How client-side SSRF works in MCP
- 1.Your agent calls a tool on a remote MCP server
- 2.The tool response contains URLs pointing to internal addresses:
http://127.0.0.1:8080/admin,http://169.254.169.254/latest/meta-data/ - 3.Your agent, trying to be helpful, follows these URLs or uses them in subsequent requests
- 4.The attacker gains access to your internal services through your agent
Dangerous addresses to watch for
| Address | Risk |
|---|---|
127.0.0.1 / localhost | Local services, dev servers, databases |
10.x.x.x, 172.16-31.x.x, 192.168.x.x | Internal network services |
169.254.169.254 | Cloud metadata (AWS/GCP/Azure credentials) |
[::1] | IPv6 loopback |
The cloud metadata endpoint
The cloud metadata endpoint (169.254.169.254) deserves special attention. Accessing it can expose AWS IAM credentials (full access to your cloud account), GCP/Azure service account tokens, and instance metadata like network configuration and SSH keys. A single SSRF hit to this endpoint can compromise your entire cloud environment.
Defenses
Scan tool responses for private IP references before acting on them. Configure your agent to reject URLs pointing to private ranges. Use network policies to prevent your agent from accessing internal endpoints, and enable Phase 2 scanning to detect SSRF attempts in live responses.