Spring AI MCP Security: Unvalidated URL Fetching (SSRF)
The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled: spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization …