Server-side Request Forgery (SSRF) Affecting n8n-mcp package, versions >=2.17.1 <2.47.14

n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol (MCP)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the SSRFProtection.validateUrlSync function in the src/utils/ssrf-protection.ts component. An attacker can reach internal services and cloud metadata endpoints by supplying IPv6-literal URLs such as IPv4-mapped, IPv4-compatible, 6to4, NAT64, ULA, or site-local addresses that bypass the synchronous URL validation. This lets user-controlled InstanceContext values in the SDK embedder path reach the HTTP client, exposing the x-n8n-api-key and allowing requests to localhost, RFC1918 networks, and metadata services.

Workarounds

• Reject any n8nApiUrl whose hostname is an IP literal, including bracketed IPv6 and dotted IPv4, before passing it to N8NDocumentationMCPServer or getN8nApiClient(). This prevents attacker-supplied URLs from reaching internal services or cloud metadata endpoints.
• Do not accept user-controlled n8nApiUrl values; derive the URL only from internal configuration. This removes the SSRF entry point entirely for SDK embedder deployments.
• Restrict outbound network access from the n8n-mcp process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local 169.254.0.0/16, and cloud metadata endpoints. This limits SSRF blast radius even if a malicious URL is supplied.

• GitHub Commit
• Maintainer's Advisory