GHSA-G2GW-Q38M-VJFC: GHSA-G2GW-Q38M-VJFC: Server-Side Request Forgery and Bearer Token Exfiltration in @merill/lokka

GHSA-G2GW-Q38M-VJFC: Server-Side Request Forgery and Bearer Token Exfiltration in @merill/lokka

Vulnerability ID: GHSA-G2GW-Q38M-VJFC
CVSS Score: 8.7
Published: 2026-06-19

A Server-Side Request Forgery (SSRF) and Bearer Token Exfiltration vulnerability exists in the @merill/lokka (Lokka) Model Context Protocol (MCP) server prior to version 2.1.2. The server constructed Azure Resource Manager request URLs by concatenating user-controlled path parameters directly into destination request strings. By injecting authority-redefinition characters, an attacker can manipulate URL parsing to execute a host-escape attack, forcing the server to send high-privilege Azure Resource Manager (ARM) Bearer tokens to an external attacker-controlled host. This allows complete administrative access to the associated Azure subscriptions.

TL;DR

Unauthenticated Server-Side Request Forgery (SSRF) in the @merill/lokka MCP server allows remote attackers to exfiltrate Azure Resource Manager OAuth 2.0 Bearer tokens to arbitrary servers via malicious path variables containing host-escape characters.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-918
• Attack Vector: Network
• CVSS Score: 8.7 (High)
• Impact: Credential Leakage and Host-Escape
• Exploit Status: Proof-of-Concept
• Remediation: Patch to version 2.1.2 or later

Affected Systems

• @merill/lokka MCP Server
• @merill/lokka: < 2.1.2 (Fixed in: 2.1.2)

Code Analysis

Commit: babead8

Introduce validateAzurePath and buildAzureUrl functions to prevent SSRF and host-escape attacks

Mitigation Strategies

• Upgrade to @merill/lokka version 2.1.2 or higher to secure URL construction paths
• Implement strict network egress filtering to prevent unauthorized connections to unknown external IPs
• Ensure that input validation libraries screen out control characters, including the @ symbol and backslashes, from path inputs

Remediation Steps:

1. Run npm update @merill/lokka to update to the latest secure version
2. Verify that your configuration files do not override path validation in the Lokka server initialization
3. Enable application firewall logging to audit and trace outbound connections from your Model Context Protocol backend

References

• Official GHSA Page
• Vulnerability Fix Commit
• Lokka Security Advisory Discussion
• Project Repository

---

Read the full report for GHSA-G2GW-Q38M-VJFC on our website for more details including interactive diagrams and full exploit analysis.