Skip to content

[Security] DNS Rebinding (TOCTOU) bypass in SSRF protection + MCP tools bypass SSRF validation entirely #6504

Description

@Correctover

Security Vulnerability Report

I have identified two security vulnerabilities in crewai/crewai-tools related to SSRF protection:

Vulnerability 1: DNS Rebinding (TOCTOU) in safe_get() / validate_url()

Location: crewai_tools/security/safe_requests.py + safe_path.py

Issue: validate_url() resolves DNS and checks the IP against private/reserved ranges, then returns the URL as a string. The subsequent requests.get(url) call resolves DNS again, creating a TOCTOU window where the DNS record can change between validation and connection.

Impact: DNS rebinding attack can bypass SSRF protection to access cloud metadata (169.254.169.254) and internal services.

Fix: Use a custom HTTP transport that pins the resolved IP for the actual connection, eliminating the second DNS resolution.

Vulnerability 2: MCP Tool Wrappers bypass SSRF protection entirely

Location: crewai/tools/mcp_tool_wrapper.py + crewai/tools/mcp_native_tool.py

Issue: When CrewAI agents call MCP tools, arguments (including URLs) are passed directly to MCP servers without going through validate_url() or safe_get(). This completely bypasses the SSRF protection for any agent using MCP tools.

Impact: An agent using the MCP fetch server (which has no SSRF protection of its own) can be instructed to fetch internal URLs, cloud metadata, etc.

Fix: Validate URL parameters in MCP tool arguments before passing them to MCP servers.

Disclosure

I am reporting this responsibly. Both issues have proof-of-concept code and detailed analysis ready. Please advise on your preferred disclosure process.

Environment

  • crewai: latest (main branch, commit 7baf8f9)
  • crewai-tools: latest
  • Python 3.11+

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions