SSRF vulnerability in MCP server registration and validation

[RinZ27]

I've identified a Server-Side Request Forgery (SSRF) vulnerability in the MCP server registration and validation flow.

Description

The validateMcpServer function in packages/core/src/tools.ts (and its caller createProject2 in apps/web/server/api/routers/project.ts) connects to user-provided URLs using MCPClient.create() without any prior safety checks. This allows an attacker to force the Tambo server to make requests to internal network addresses, such as the AWS Metadata Service (169.254.169.254), internal databases, or other private infrastructure.

While a urlSecurity.ts utility exists in apps/web/lib/, it is not applied to MCP server registrations. Furthermore, the existing utility is vulnerable to DNS Rebinding because it performs a separate DNS resolution check before the actual request is made by the client.

Impact

An attacker can probe the internal network where the Tambo API/Web server is hosted, potentially leading to information disclosure or further exploitation of internal services.

Recommendation

1. Move the URL validation logic from apps/web/lib/urlSecurity.ts to a shared package (e.g., packages/core or a new packages/security) so it can be applied consistently across the codebase.
2. Ensure validateMcpServer performs strict URL sanitization and SSRF checks before initiating any connections.
3. Harden the SSRF protection to mitigate DNS Rebinding, for example by resolving the hostname once and using the resulting IP address for the connection (while maintaining the Host header) or by using a dedicated egress proxy.

[themavik]

Fix submitted in #2395. Root cause: the createProject2 mutation called validateMcpServer() on user-provided URLs without first running validateSafeURL(), unlike the addMcpServer endpoint in tools.ts which already had this check. The fix adds the same SSRF validation before any outbound connection is attempted.