FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerability exists in the _build_url() method. When an OpenAPI operation defines path parameters (e.g., /api/v1/users/{user_id}), the system directly substitutes parameter values into the URL template string without URL-encoding. Subsequently, urllib.parse.urljoin() resolves the final URL. Since urljoin() interprets ../ sequences as directory traversal, an attacker controlling a path parameter can perform path traversal attacks to escape the intended API prefix and access arbitrary backend endpoints. This results in authenticated SSRF, as requests are sent with the authorization headers configured in the MCP provider. This issue has been patched in version 3.2.0.
The RequestDirector class in the OpenAPIProvider component is responsible for building HTTP requests to backend services based on OpenAPI specifications. The _build_url() method inserts path parameter values (e.g. {user_id}) directly into the URL template without prior URL-encoding. Subsequently, the urllib.parse.urljoin() function resolves the final URL, and since it interprets ../ sequences as directory traversal, an attacker controlling the path parameter value can escape the intended API prefix. The crafted request is sent to any backend endpoint along with authorization headers configured in the MCP provider, constituting an authenticated SSRF.
An attacker can bypass intended API restrictions and gain access to arbitrary internal backend endpoints, and requests are executed with the victim's full authorization headers, which may lead to disclosure of sensitive data, modification of resources, or further lateral movement within the internal network.
FastMCP should be updated to version 3.2.0 or later, in which the issue has been fixed. The patch is available in the GitHub repository (commit 40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71) and in the official v3.2.0 release.
Jlowin FastMCP (PrefectHQ/fastmcp) in all versions prior to 3.2.0 using the OpenAPIProvider component.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XJlowin Fastmcp
APPJlowin< 3.2.0
Related vulnerabilities
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the Git...
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not ...
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containi...
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cro...
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection...