📄 Description (English)
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
🤖 AI Executive Summary
FastGPT versions prior to 4.14.9.5 contain a Server-Side Request Forgery (SSRF) vulnerability in MCP tools endpoints that allows authenticated attackers to make arbitrary HTTP requests to internal networks and cloud metadata services. The vulnerability exists because the application fails to validate URLs against internal address ranges despite having protective functions available elsewhere. This could enable attackers to scan internal infrastructure, access sensitive services like MongoDB and Redis, and potentially compromise cloud credentials.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 21:32
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using FastGPT for AI agent development face significant risk, particularly in banking and financial services (SAMA-regulated entities), government agencies (NCA oversight), and healthcare institutions. The SSRF vulnerability could allow authenticated users to access internal MongoDB/Redis databases containing sensitive customer data, financial records, and personal health information. Government entities using FastGPT for internal AI applications could have their internal networks scanned and compromised. Telecom operators (STC, Mobily) and energy sector organizations (ARAMCO subsidiaries) using this platform for AI workflows are at risk of infrastructure reconnaissance and potential lateral movement to critical systems.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Cloud Service Providers
Technology and Software Development
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all FastGPT instances in your environment and document their versions
2. Restrict network access to FastGPT MCP endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) to trusted users only
3. Implement network segmentation to prevent FastGPT servers from accessing internal services (MongoDB, Redis, metadata services)
4. Review audit logs for suspicious MCP tool endpoint usage patterns
PATCHING:
5. Upgrade FastGPT to version 4.14.9.5 or later immediately
6. Test the patched version in a staging environment before production deployment
7. Verify that the isInternalAddress() validation function is now properly called for all MCP endpoints
COMPENSATING CONTROLS (if immediate patching not possible):
8. Implement Web Application Firewall (WAF) rules to block requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/8, 169.254.0.0/16)
9. Block access to cloud metadata services (169.254.169.254, instance metadata endpoints)
10. Disable MCP tools functionality if not actively used
11. Implement strict egress filtering on FastGPT server network interfaces
DETECTION:
12. Monitor for HTTP requests from FastGPT to internal IP ranges in proxy/firewall logs
13. Alert on MCP endpoint calls with suspicious URL parameters (internal IPs, localhost, metadata service URLs)
14. Track failed connection attempts to internal services from FastGPT processes
15. Review FastGPT application logs for unusual MCP tool invocations
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات FastGPT في بيئتك وقثق إصداراتها
2. قيد الوصول إلى نقاط نهاية FastGPT MCP (/api/core/app/mcpTools/getTools و /api/core/app/mcpTools/runTool) للمستخدمين الموثوقين فقط
3. طبق تقسيم الشبكة لمنع خوادم FastGPT من الوصول إلى الخدمات الداخلية (MongoDB و Redis وخدمات البيانات الوصفية)
4. راجع سجلات التدقيق لأنماط استخدام نقطة نهاية أدوات MCP المريبة
التصحيح:
5. قم بترقية FastGPT إلى الإصدار 4.14.9.5 أو أحدث على الفور
6. اختبر الإصدار المصحح في بيئة التجهيز قبل نشر الإنتاج
7. تحقق من أن وظيفة التحقق من isInternalAddress() يتم استدعاؤها الآن بشكل صحيح لجميع نقاط نهاية MCP
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
8. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى نطاقات IP الخاصة (10.0.0.0/8 و 172.16.0.0/12 و 192.168.0.0/16 و 127.0.0.1/8 و 169.254.0.0/16)
9. احجب الوصول إلى خدمات بيانات السحابة الوصفية (169.254.169.254 ونقاط نهاية بيانات المثيل)
10. عطل وظيفة أدوات MCP إذا لم تكن قيد الاستخدام النشط
11. طبق تصفية الخروج الصارمة على واجهات شبكة خادم FastGPT
الكشف:
12. راقب طلبات HTTP من FastGPT إلى نطاقات IP الداخلية في سجلات الوكيل/جدار الحماية
13. أصدر تنبيهات عند استدعاءات نقطة نهاية MCP مع معاملات URL مريبة (عناوين IP داخلية و localhost وعناوين خدمات البيانات الوصفية)
14. تتبع محاولات الاتصال الفاشلة بالخدمات الداخلية من عمليات FastGPT
15. راجع سجلات تطبيق FastGPT للاستدعاءات المريبة لأدوات MCP
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.8.1.1 - User access management and authentication
ECC 2024 A.13.1.3 - Segregation of networks
ECC 2024 A.13.2.1 - Security of network services
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software, platforms, and applications inventory
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.DS-2 - Data security and protection
SAMA CSF DE.CM-1 - Network monitoring and detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Supplier relationships
ISO 27001:2022 A.8.1 - User access management
ISO 27001:2022 A.8.3 - Password management
ISO 27001:2022 A.13.1 - Network security perimeter
ISO 27001:2022 A.13.2 - Network access control
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall configuration standards
PCI DSS 1.3 - Network segmentation
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 7.1 - Access control implementation
🔗 References & Sources 4
🔗
https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00
security-advisories@github.com
Patch
🔗
https://github.com/labring/FastGPT/pull/6640
security-advisories@github.com
Issue Tracking
Patch
🔗
https://github.com/labring/FastGPT/releases/tag/v4.14.9.5
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
fastgpt:fastgpt