GHSA-V8VW-GW5J-W7M6

Vulnerability from github – Published: 2026-05-08 17:02 – Updated: 2026-05-08 17:02
VLAI?
Summary
MCP Registry has open redirect via protocol-relative path in trailing-slash middleware
Details

Summary

The TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an absolute URL to an external domain.

Details

The TrailingSlashMiddleware strips trailing slashes from request paths and issues a 308 Permanent Redirect to the cleaned path. However, it does not validate or sanitize the resulting path before using it as the redirect target.

When a request is made with a path like //evil.com/, the middleware processes it as follows:

PoC

  1. Start the registry server locally or identify a deployed instance
  2. Send a request with a double-slash path followed by an external domain: curl -v https://<registry-host>//evil.com/ image
  3. Observe the 308 Permanent Redirect response with Location: //evil.com:
  4. When accessed in a browser, the user is redirected to https://evil.com

Impact

Phishing: Attackers can abuse the trusted registry domain to redirect users to credential-harvesting pages Malware distribution: Redirect users to sites serving malicious downloads Trust abuse: Links originating from the official MCP Registry domain carry implicit trust

Severity ?
5.7 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/modelcontextprotocol/registry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T17:02:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com \u2014 which browsers interpret as an absolute URL to an external domain.\n\n### Details\nThe TrailingSlashMiddleware strips trailing slashes from request paths and issues a 308 Permanent Redirect to the cleaned path. However, it does not validate or sanitize the resulting path before using it as the redirect target.\n\nWhen a request is made with a path like //evil.com/, the middleware processes it as follows:\n\n### PoC\n1. Start the registry server locally or identify a deployed instance\n2. Send a request with a double-slash path followed by an external domain:\n`curl -v https://\u003cregistry-host\u003e//evil.com/`\n\u003cimg width=\"3066\" height=\"969\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a5305f00-29bf-4708-952a-478d608f2074\" /\u003e\n3. Observe the 308 Permanent Redirect response with Location: //evil.com:\n4. When accessed in a browser, the user is redirected to https://evil.com\n\n\n\n### Impact\n**Phishing**: Attackers can abuse the trusted registry domain to redirect users to credential-harvesting pages\n**Malware distribution**: Redirect users to sites serving malicious downloads\n**Trust abuse:** Links originating from the official MCP Registry domain carry implicit trust",
  "id": "GHSA-v8vw-gw5j-w7m6",
  "modified": "2026-05-08T17:02:12Z",
  "published": "2026-05-08T17:02:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-v8vw-gw5j-w7m6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/registry/pull/1227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/registry/commit/1201cbd82b2cf6d4b56edfc05c763059a12f9fdb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/registry"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MCP Registry has open redirect via protocol-relative path in trailing-slash middleware"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.