Security Vulnerability Report
I have identified two security vulnerabilities in crewai/crewai-tools related to SSRF protection:
Vulnerability 1: DNS Rebinding (TOCTOU) in safe_get() / validate_url()
Location: crewai_tools/security/safe_requests.py + safe_path.py
Issue: validate_url() resolves DNS and checks the IP against private/reserved ranges, then returns the URL as a string. The subsequent requests.get(url) call resolves DNS again, creating a TOCTOU window where the DNS record can change between validation and connection.
Impact: DNS rebinding attack can bypass SSRF protection to access cloud metadata (169.254.169.254) and internal services.
Fix: Use a custom HTTP transport that pins the resolved IP for the actual connection, eliminating the second DNS resolution.
Vulnerability 2: MCP Tool Wrappers bypass SSRF protection entirely
Location: crewai/tools/mcp_tool_wrapper.py + crewai/tools/mcp_native_tool.py
Issue: When CrewAI agents call MCP tools, arguments (including URLs) are passed directly to MCP servers without going through validate_url() or safe_get(). This completely bypasses the SSRF protection for any agent using MCP tools.
Impact: An agent using the MCP fetch server (which has no SSRF protection of its own) can be instructed to fetch internal URLs, cloud metadata, etc.
Fix: Validate URL parameters in MCP tool arguments before passing them to MCP servers.
Disclosure
I am reporting this responsibly. Both issues have proof-of-concept code and detailed analysis ready. Please advise on your preferred disclosure process.
Environment
- crewai: latest (main branch, commit 7baf8f9)
- crewai-tools: latest
- Python 3.11+
Security Vulnerability Report
I have identified two security vulnerabilities in crewai/crewai-tools related to SSRF protection:
Vulnerability 1: DNS Rebinding (TOCTOU) in
safe_get()/validate_url()Location:
crewai_tools/security/safe_requests.py+safe_path.pyIssue:
validate_url()resolves DNS and checks the IP against private/reserved ranges, then returns the URL as a string. The subsequentrequests.get(url)call resolves DNS again, creating a TOCTOU window where the DNS record can change between validation and connection.Impact: DNS rebinding attack can bypass SSRF protection to access cloud metadata (169.254.169.254) and internal services.
Fix: Use a custom HTTP transport that pins the resolved IP for the actual connection, eliminating the second DNS resolution.
Vulnerability 2: MCP Tool Wrappers bypass SSRF protection entirely
Location:
crewai/tools/mcp_tool_wrapper.py+crewai/tools/mcp_native_tool.pyIssue: When CrewAI agents call MCP tools, arguments (including URLs) are passed directly to MCP servers without going through
validate_url()orsafe_get(). This completely bypasses the SSRF protection for any agent using MCP tools.Impact: An agent using the MCP fetch server (which has no SSRF protection of its own) can be instructed to fetch internal URLs, cloud metadata, etc.
Fix: Validate URL parameters in MCP tool arguments before passing them to MCP servers.
Disclosure
I am reporting this responsibly. Both issues have proof-of-concept code and detailed analysis ready. Please advise on your preferred disclosure process.
Environment