auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs
Cloud credential theft — server on EC2 / GCE / Azure VM. MCP client invokes auth_fetch({ url: "http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>" }) and receives temporary credentials in the tool response. Or invokes download_media({ urls: […], output_dir: "/tmp/exfil" }) to persist them to disk. Internal service enumeration — MCP client probes private-range hosts (10/8, 172.16/12, 192.168/16). Each auth_fetch returns the page DOM; each download_media writes the response to disk. Loopback exploitation — server runs …