Aem Mcp Server
Monthly
Server-side request forgery in indrasishbanerjee aem-mcp-server allows authenticated remote attackers with low privileges to manipulate the assetPath argument of the getAssetMetadata function, causing the server's Axios HTTP client to issue arbitrary outbound requests. All code up to commit b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 is affected; the project uses no versioning scheme, making version-based scoping impossible. Publicly available exploit code exists (GitHub issue #3), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of only 2.1 due to limited impact scope and an authentication prerequisite.
Server-side request forgery in indrasishbanerjee aem-mcp-server allows authenticated remote attackers with low privileges to manipulate the assetPath argument of the getAssetMetadata function, causing the server's Axios HTTP client to issue arbitrary outbound requests. All code up to commit b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 is affected; the project uses no versioning scheme, making version-based scoping impossible. Publicly available exploit code exists (GitHub issue #3), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of only 2.1 due to limited impact scope and an authentication prerequisite.