Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
AnalysisAI
Server-side request forgery (SSRF) in pixelsock directus-mcp 1.0.0 allows authenticated remote attackers to manipulate the fileUrl argument in the validateUrl function, enabling requests to internal resources including cloud metadata services and private networks. Publicly available exploit code exists and a patch awaiting acceptance is available on GitHub. CVSS 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects moderate impact with authentication requirement.
Technical ContextAI
The vulnerability resides in the MCP Interface component's index.ts file, specifically in the validateUrl function that processes user-supplied fileUrl parameters without proper validation. The root cause is CWE-918 (Server-Side Request Forgery), where URL validation is insufficiently restrictive. The affected product is pixelsock directus-mcp (CPE: cpe:2.3:a:pixelsock:directus-mcp:*:*:*:*:*:*:*:*), a Model Context Protocol (MCP) implementation for Directus. The original code accepts URLs without checking whether the resolved hostname maps to forbidden address ranges such as private networks (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12), loopback (127.0.0.0/8), link-local addresses (169.254.0.0/16 including cloud metadata endpoints like 169.254.169.254), or IPv6 equivalents. The patch introduces comprehensive SSRF prevention via DNS resolution validation, IP address parsing, and blocklisting of forbidden ranges including RFC 1918 private space, loopback, link-local, multicast, and cloud metadata addresses.
RemediationAI
Apply the patch from GitHub PR #14 (https://github.com/pixelsock/directus-mcp/pull/14), which replaces the insufficient validateUrl function with comprehensive SSRF protection including DNS resolution, IP validation, and blocklisting of private, loopback, link-local, multicast, and cloud metadata address ranges. If the PR has not yet been merged into a released version at the time of assessment, either apply the patch commits directly to your codebase or wait for the maintainers to merge and release a patched version. As an interim compensating control pending patch deployment, restrict network access from the directus-mcp process to only external, non-private networks via network policy (e.g., firewall rules, container security policies blocking 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 169.254.0.0/16); however, this control is not foolproof if the MCP service has legitimate reasons to contact internal APIs. Alternatively, disable or restrict access to the fileUrl feature if not essential to your use case, reducing the attack surface. Monitor access logs for unexpected internal resource requests or DNS lookups to private address ranges.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26883