The Search Tool That Searches Inward
A server-side request forgery vulnerability was disclosed in the SearXNG MCP Server — a tool that gives AI agents the ability to search the web via the Model Context Protocol. The flaw is a DNS-resolved private hostname SSRF: an attacker can craft a search query that causes the MCP server to resolve a hostname pointing to a private IP address, effectively turning the AI agent's search tool into a network scanner for internal infrastructure.
The vulnerability is conceptually simple. The MCP server accepts URLs as part of search operations. It resolves those URLs without validating whether the resolved IP address is private or public. A hostname that resolves to 10.0.0.1 or 169.254.169.254 (the cloud metadata endpoint) is treated identically to one resolving to a public address. The search tool designed to look outward at the internet can be pointed inward at the organization's own network.
MCP's Security Surface Area
The Model Context Protocol has crossed 200 server implementations since Anthropic's initial specification. These servers connect AI agents to databases, monitoring systems, search engines, file systems, and development tools. Each implementation is an independently developed piece of software that handles input from AI models and translates it into actions against external systems. The security review process for most MCP servers amounts to whatever the individual developer chose to implement.
The SearXNG SSRF is not an isolated finding. In the same disclosure period, the Network-AI ApprovalInbox MCP server was found to have zero authentication — any client that could reach it could execute operations without credentials. These are not edge cases in obscure tools. They are structural patterns in a protocol ecosystem that prioritized capability before security.
The Agent Vulnerability Chain
When an AI agent uses a search MCP server, the agent inherits that server's vulnerabilities. If the search server is vulnerable to SSRF, the agent can be manipulated into scanning internal networks — not through a flaw in the AI model, but through a flaw in the tool the model was given. The agent does not know it is being used as a proxy. It processes the search results as legitimate data and may act on them, reporting internal network information back to whoever crafted the query.
This is the same pattern visible in the agentjacking attacks against Sentry MCP integrations: AI agents operating in privileged network contexts, processing input from tools with insufficient security boundaries. The common thread is not a vulnerability in any specific AI model. It is the assumption that tools connected to AI agents are trusted — an assumption inherited from an era when tools were used by humans who could evaluate their outputs.
What This Means for Web Infrastructure
Organizations deploying MCP servers alongside web infrastructure face a new topology question. The MCP server typically runs in the same network segment as the applications it supports — behind the firewall, with access to internal services. An SSRF in that MCP server provides a path from an AI agent's external input to the organization's internal network, bypassing perimeter defenses entirely.
The mitigation is architectural, not procedural. MCP servers that make outbound requests must validate resolved IP addresses against private ranges. They must run in isolated network segments with no access to internal services. They must treat every input from the AI model as untrusted, because the model's input may originate from a prompt injection, a crafted search result, or a deliberately malicious tool response.
The MCP ecosystem is building the nervous system of the agentic web. The SearXNG disclosure is an early signal that the nervous system has no immune response. The probe enters inward, and nothing stops it.
