The n8n-mcp SDK versions 2.47.4 to 2.47.13 contain an SSRF vulnerability due to insufficient IPv6 address validation in the synchronous URL validator (SSRFProtection.validateUrlSync). IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypass checks that block requests to cloud metadata services, localhost, and private IP ranges. This allows attackers controlling the n8nApiUrl parameter to induce the server to make HTTP requests to internal resources and retrieve response bodies, with the n8nApiKey forwarded in the x-n8n-api-key header. The vulnerability affects deployments embedding n8n-mcp as an SDK with user-supplied InstanceContext. The first-party HTTP server deployment is not primarily affected due to an additional asynchronous validator. The issue is resolved in version 2.47.14.

Successful exploitation allows an attacker to perform SSRF attacks that can access cloud metadata endpoints, internal network services, and localhost resources. The attacker can receive the response content from these requests and also have the n8nApiKey forwarded to the attacker-controlled endpoint, potentially exposing sensitive credentials. This can lead to information disclosure and further compromise of internal systems. The CVSS v3.1 score is 8.5 (high severity) with network attack vector, low attack complexity, requiring low privileges, no user interaction, and impacts confidentiality and integrity.

A fixed version 2.47.14 of n8n-mcp is available and should be applied to remediate this vulnerability. If immediate upgrade is not possible, users should validate URLs before passing them to the SDK, restrict egress network traffic to prevent unauthorized outbound requests, and reject user-controlled n8nApiUrl values to prevent exploitation. The first-party HTTP server deployment is less affected due to an additional asynchronous validator but upgrading is still recommended.