Api Lab Mcp
Monthly
Server-Side Request Forgery (SSRF) in atototo api-lab-mcp versions up to 0.2.1 allows unauthenticated remote attackers to manipulate source/url parameters in analyze_api_spec, generate_test_scenarios, and test_http_endpoint functions within the HTTP interface (http-server.ts). Exploitation permits unauthorized requests to internal or external resources, potentially exposing sensitive data, bypassing access controls, or conducting port scanning. Publicly available exploit code exists. Vendor has not responded to early disclosure (GitHub issue #4).
Server-Side Request Forgery (SSRF) in atototo api-lab-mcp versions up to 0.2.1 allows unauthenticated remote attackers to manipulate source/url parameters in analyze_api_spec, generate_test_scenarios, and test_http_endpoint functions within the HTTP interface (http-server.ts). Exploitation permits unauthorized requests to internal or external resources, potentially exposing sensitive data, bypassing access controls, or conducting port scanning. Publicly available exploit code exists. Vendor has not responded to early disclosure (GitHub issue #4).