CVE-2025-65513: Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability
fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources.
References
- github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-65513.md
- github.com/advisories/GHSA-8fxj-2g9q-8fjw
- github.com/zcaceres/fetch-mcp
- github.com/zcaceres/fetch-mcp/blob/c662c8ac300f715e414a64766cd95cc9ec60a1b3/src/Fetcher.ts
- nvd.nist.gov/vuln/detail/CVE-2025-65513
- thorn-pheasant-6d8.notion.site/fetch-mcp-2853daf7b44180029ca5d56e03195736
Code Behaviors & Features
Detect and mitigate CVE-2025-65513 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →