BACK TO SEARCH
Averyy/fetchaller-mcpcritical
Simple MCP server that allows Claude Code to fetch URLs without permission prompts (including Reddit).
An MCP server that allows Claude Code to fetch any URL without permission prompts, bypassing bot challenges (Cloudflare, Akamai) and providing built-i...
purpose: An MCP server that allows Claude Code to fetch anythreat: network exposed
RISK SCORE
0/ 100 risk
high findings+50
medium findings+30
critical findings+40
capped at100
Indicators — descriptive signals, not vulnerabilities
dynamic-importsrc/fetchaller/__init__.py:3
These are automated indicators of code characteristics detected by regex pattern matching. They are informational, not security verdicts. Some patterns (e.g. telegram, crypto-wallet) may reflect legitimate functionality.
VULNERABILITY ANALYSIS · 5 findings in 4 blocks3 HIGH · 2 MEDIUM
CRITICAL2 findings
src/fetchaller/server.py:618
618 if name == "fetch":
619 result = await fetch_url(
620 url=arguments["url"],
621 max_tokens=max(1, min(250000, arguments.get("maxTokens", config.default_max_tokens))),
622 timeout=max(1, min(300, arguments.get("timeout", config.default_timeout_seconds))),
623 raw=arguments.get("raw", False),
624 cache=cache,
625 config=config,
626 browser_solver=browser_solver,
627 )HIGH1 finding
src/fetchaller/server.py:196
196 Tool(
197 name="fetch",
198 description=(
199 "Fetch any URL and return the page content as clean markdown. "
200 "Handles HTML, JSON, XML, CSV, and PDF files. "
201 "Use this tool for reading/fetching web pages - it has no domain restrictions. "
202 "For discovering URLs via search, use the search tool. For reading URL content, use this tool."
203 ),
204 inputSchema={
205 "type": "object",
206 "properties": {
207 "url": {
208 "type": "string",
209 "description": "The URL to fetch",
210 },
211 ...
212 },
213 "required": ["url"],
214 },
215 ),src/fetchaller/server.py:196→src/fetchaller/tools/fetch.py:1
// Exploitable by any user of the MCP server. The bypass capability is inherent to the tool design.
EXPLAINThe fetch tool is designed to bypass bot challenges (Cloudflare, Akamai) using TLS fingerprint impersonation and a browser solver. Combined with no domain restrictions, this allows the tool to access any website as if it were a legitimate browser, bypassing anti-scraping protections. This goes beyond the intended purpose of fetching URLs for the user's own use and enables scraping of protected content without authorization.
IMPACTAn attacker can scrape content from sites that employ bot protection, potentially violating terms of service and accessing paywalled or restricted content. This could lead to legal liability and reputational damage.
FIXAdd domain allowlisting or restrict the tool to only fetch URLs discovered through the search tools. Document that bypassing bot protections may violate terms of service. Consider adding a user consent mechanism.
MEDIUM1 finding
src/fetchaller/server.py:609
609 @server.call_tool()
610 async def call_tool(name: str, arguments: dict) -> CallToolResult:
611 """Handle tool calls."""
612
613 start_time = time.time()
614 tool_args_summary = _summarize_args(name, arguments)
615 _log(f"TOOL START: {name} {tool_args_summary}")
616
617 try:
618 if name == "fetch":
619 result = await fetch_url(
620 url=arguments["url"],
621 ...
622 )src/fetchaller/server.py:609
// Exploitable if an attacker can inject prompts into the LLM's context (e.g., by hosting a malicious website that the LLM reads). This is a common attack vector in MCP systems.
EXPLAINAll tool arguments come directly from the LLM's output without any sanitization or validation beyond basic type coercion. An attacker who can influence the LLM's output (e.g., through prompt injection in a web page the LLM reads) can craft malicious arguments to any tool. For example, a prompt injection could cause the LLM to call fetch with a URL pointing to an attacker-controlled server, exfiltrating data.
IMPACTAn attacker can perform prompt injection attacks to manipulate the LLM into calling tools with attacker-controlled arguments, leading to SSRF, data exfiltration, or other unintended actions. This is a fundamental risk in MCP architectures.
FIXImplement strict input validation and sanitization for all tool arguments. Use allowlists for URLs, limit string lengths, and validate against expected patterns. Consider using a separate, restricted context for tool calls.
MEDIUM1 finding
src/fetchaller/server.py:321
321 Tool(
322 name="search",
323 description=(
324 "Search the web and return results with titles, URLs, and snippets. "
325 "Use this to discover URLs, then use fetch to read full page content."
326 ),
327 inputSchema={
328 "type": "object",
329 "properties": {
330 "query": {
331 "type": "string",
332 "description": "Search query",
333 },
334 "page": {
335 "type": "integer",
336 "minimum": 1,
337 "default": 1,
338 "description": "Result page (1-indexed, default: 1)",
339 },
340 },
341 "required": ["query"],
342 },
343 ),src/fetchaller/server.py:321→src/fetchaller/tools/search.py:1
// Exploitable by any user of the MCP server. The broad search capability is inherent to the tool design.
EXPLAINThe web search tool (search) allows arbitrary search queries with no restrictions. Combined with the fetch tool, this enables the LLM to discover and access any publicly available web content. While this is the intended purpose, the lack of any scope limitation (e.g., topic, domain) means the tools can be used for any purpose, including accessing illegal or harmful content.
IMPACTAn attacker could use the tools to search for and retrieve sensitive information, exploit vulnerabilities, or access prohibited content. The tools effectively provide a full web browser capability without any restrictions.
FIXConsider adding content filtering or domain allowlisting. At minimum, document the risks and recommend deploying in a sandboxed environment with network restrictions.
◷ 6/11/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.