stellar-non-fungible
on https://mcp.openzeppelin.com/contracts/stellar/mcp
Severity
1 finding on this tool
- highssrf surfacef-r8-stellar_non_fungible
Tool `stellar-non-fungible` accepts an unconstrained URL / endpoint parameter
The parameter(s) `tokenUri` look like URL or endpoint inputs but carry no `pattern` or `enum` constraint. An agent tricked by an indirect-injection payload can invoke this tool with an internal-service URL (e.g. `http://169.254.169.254/`) to exfiltrate cloud metadata, probe internal APIs, or pivot to services the host can reach but the caller cannot.
fix: Constrain the URL parameter with an allow-list `enum`, or a `pattern` that restricts scheme and domain. Validate server-side against an allow-list and reject private / loopback / link-local address ranges at the HTTP client level.
OWASP LLM07NIST MANAGE-2.2ATLAS T0051
About this tool
stellar-non-fungible is one of 3 tools exposed by OpenZeppelin Stellar Contracts MCP. The server scored 96/100 overall against the capframe rule engine (source: http). Last scanned 2026-06-26.
The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.