GHSA-hv85-774v-26fg: auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs

1. Cloud credential theft — server on EC2 / GCE / Azure VM. MCP client invokes auth_fetch({ url: "http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>" }) and receives temporary credentials in the tool response. Or invokes download_media({ urls: [...], output_dir: "/tmp/exfil" }) to persist them to disk.

2. Internal service enumeration — MCP client probes private-range hosts (10/8, 172.16/12, 192.168/16). Each auth_fetch returns the page DOM; each download_media writes the response to disk.

3. Loopback exploitation — server runs alongside Redis (127.0.0.1:6379), ElasticSearch (127.0.0.1:9200), or internal admin UIs. MCP client reads them via auth_fetch.

4. Disk-write side channel (download_media only) — output_dir is also user-controlled, with no documented restriction. An MCP client can request output_dir = "/some/user-writable-shared-dir" and exfil internal-service responses to a location accessible to a co-tenant process.

The injection vector is any content reaching the model that prompts a fetch tool call. The tool description explicitly says “MUST be used instead of Fetch/web_fetch when the page requires login” — meaning the model is encouraged to call this tool for any “private page” mention, which a prompt-injected upstream content can trivially trigger.