Executive Intelligence Brief
A high-severity vulnerability has been discovered in the Apify Model Context Protocol (MCP) server, specifically in the `@apify/actors-mcp-server` package version `0.10.7`. This vulnerability allows an attacker to inject a malicious `webServerMcpPath` value, leading to the exfiltration of the victim's Apify API token. The vulnerability has a CVSS Base Score of 8.1 (High) and requires immediate attention.
The affected technology is the Apify Model Context Protocol (MCP) server, which is used for communication between actors in the Apify platform. The vulnerability has a broad deployment footprint, as it affects users of the `@apify/actors-mcp-server` package.
The bottom line recommendation is to upgrade to a patched version of `@apify/actors-mcp-server` and to implement additional security controls to prevent similar vulnerabilities in the future.
Threat Overview
The Apify Model Context Protocol (MCP) server is a critical component of the Apify platform, enabling communication between actors. The vulnerability in `@apify/actors-mcp-server` version `0.10.7` allows an attacker to publish a malicious Actor with a crafted `webServerMcpPath` value, causing the MCP client to resolve the final URL to an entirely different host.
This vulnerability has historical context, as it is a Server-Side Request Forgery (SSRF) / URL authority injection vulnerability, similar to other vulnerabilities in the same class.
Technical Deep Dive
Vulnerability Classification
The vulnerability is classified as a Server-Side Request Forgery (SSRF) / URL authority injection vulnerability, specifically CWE-918. This class of vulnerability occurs when an attacker can manipulate a server-side request to make it send requests to an unintended location.
The CVSS vector details are not explicitly provided, but the CVSS Base Score is 8.1 (High).
Root Cause Analysis
The fundamental coding flaw is in the `getActorMCPServerURL()` function in `src/mcp/actors.ts:44`, which constructs the Actor standby MCP URL by naive string concatenation of a trusted base URL with an attacker-controlled `webServerMcpPath` value.
The assumptions that were violated are:
- The `webServerMcpPath` value is not validated to begin with a `/` (relative path).
- The `webServerMcpPath` value is not validated to avoid an `@` character (userinfo/authority injection).
- The `webServerMcpPath` value is not validated to resolve to the same origin as `standbyUrl`.
Attack Vector & Chain
The attack vector involves an attacker publishing a malicious Actor with a crafted `webServerMcpPath` value. The attack chain is as follows:
1. The attacker publishes a malicious Actor with a crafted `webServerMcpPath` value.
2. The victim invokes `call-actor`, `fetch-actor-details`, or any actor-mcp type tool against the malicious Actor.
3. The MCP client resolves the final URL to an entirely different host controlled by the attacker.
4. The MCP client sends the victim's Apify API token to the attacker's server.
Preconditions:
- The victim has an Apify API token configured.
- The victim invokes a vulnerable tool against the malicious Actor.
No user interaction is needed, but authentication is required in the sense that the victim's Apify API token is used.
Exploitation Scenario Walkthrough
**Scenario: Apify Token Exfiltration via Malicious Actor Definition**
1. **Reconnaissance**: The attacker discovers the vulnerable version of `@apify/actors-mcp-server` being used by the victim.
2. **Weaponization**: The attacker crafts a malicious Actor definition with a `webServerMcpPath` value set to `@attacker.example/mcp`.
3. **Delivery & Exploitation**: The attacker publishes the malicious Actor definition on the Apify platform. The victim invokes a vulnerable tool against the malicious Actor, causing the MCP client to send the victim's Apify API token to the attacker's server.
4. **Post-Exploitation**: The attacker uses the exfiltrated Apify API token to access the victim's Apify account, potentially leading to further exploitation or data exfiltration.
5. **Impact Realization**: The victim's Apify API token is exfiltrated, granting the attacker full access to the victim's Apify account.
Exploitation in the Wild
There is no evidence of active exploitation in the wild, but the vulnerability is likely to be exploited due to its high severity and the ease of exploitation.
Impact Analysis
Direct Impact
The direct impact of this vulnerability is the exfiltration of the victim's Apify API token, which grants full access to the victim's Apify account. This can lead to unauthorized access, data exfiltration, and potential financial losses.
Downstream & Cascading Effects
The downstream effects of this vulnerability include:
- Supply chain risk: If the victim's Apify account is used to manage other services or dependencies, the attacker may be able to exploit these services as well.
- Regulatory implications: Depending on the nature of the data stored in the Apify account, there may be regulatory implications, such as GDPR or HIPAA violations.
Affected Products & Versions
The affected product is `@apify/actors-mcp-server` version `0.10.7`. The fixed version is not explicitly mentioned, but it is recommended to upgrade to a patched version.
Detection & Threat Hunting
Indicators of Compromise
Indicators of compromise include:
- Unusual traffic to unknown or suspicious domains.
- Unexpected requests to the Apify API with an invalid or stolen token.
Detection Rules & Signatures
Detection rules and signatures may include:
- Monitoring for suspicious traffic to unknown domains.
- Analyzing Apify API logs for unusual patterns or invalid token usage.
Threat Hunting Queries
Threat hunting queries may include:
- Searching for suspicious Actor definitions on the Apify platform.
- Analyzing network traffic for unusual patterns or communication with unknown domains.
Remediation & Hardening
Immediate Actions (0-24 hours)
Immediate actions include:
- Upgrading to a patched version of `@apify/actors-mcp-server`.
- Reviewing Apify API logs for suspicious activity.
Short-Term Hardening (1-7 days)
Short-term hardening includes:
- Implementing additional security controls, such as network segmentation or WAF rules.
- Enhancing monitoring and logging to detect similar vulnerabilities in the future.
Strategic Recommendations
Strategic recommendations include:
- Regularly reviewing and updating dependencies to prevent similar vulnerabilities.
- Implementing a robust security program to detect and respond to vulnerabilities.
Analyst Assessment
The risk of inaction is high, as the vulnerability is likely to be exploited, leading to potential data exfiltration and financial losses. It is essential to upgrade to a patched version of `@apify/actors-mcp-server` and implement additional security controls to prevent similar vulnerabilities in the future.
Sources
- GitHub Security Advisories: GHSA-6gr2-qh89-hxwm
- CVE-2026-50143