Back to Glossary
THREAT

SSRF (AI Context)

agentic SSRFcloud metadata exfiltrationinternal network scanning

Server-Side Request Forgery (SSRF) in AI contexts occurs when an LLM agent is manipulated into issuing HTTP requests to unintended destinations: cloud provider metadata endpoints, internal services, or private network ranges.

ADVERSARIAL MECHANICS

The canonical attack path targets cloud-hosted AI agents: an injected instruction directs a browse_web tool to http://169.254.169.254/latest/meta-data/ (AWS IMDSv1). If the agent operates from an EC2 context without IMDSv2 enforcement, the request succeeds and returns IAM credentials.

ATTACK SIGNATURE (MCPVANGUARD / NETWORK.YAML)

blocked_destinations:
  - 169.254.0.0/16      # Link-local / cloud metadata
  - 127.0.0.0/8         # Loopback
  - 10.0.0.0/8          # RFC1918
  - 172.16.0.0/12       # RFC1918
  - 192.168.0.0/16      # RFC1918
  - "*.internal"        # Internal DNS zones

PROTOCOL CONTEXT (MCP)

MCP's network-access tools execute with the host process's network privileges. A compromised tool parameter can transparently redirect these tools toward internal infrastructure. Without outbound destination validation, the agent becomes an authenticated proxy to the internal network.

ProvnAI Mitigation

The network.yaml ruleset in McpVanguard enforces destination allowlists and blocklists at the tool-call parameter level — before any network socket is opened. DNS resolution is performed server-side to prevent rebinding bypass.