pypi · mcp-server-fetch2025.4.7

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

RemediationAI

The problem is that the tool is named 'fetch', which conflicts with reserved MCP tool namespaces and lacks a server-specific prefix, making it ambiguous in multi-server environments. Rename the tool by changing the @server.call_tool decorator and tool definition to use a prefixed name like 'fetch_web_content' or 'mcp_fetch_url' in server.py. This prevents namespace collisions and makes the tool's origin explicit when multiple MCP servers are composed. Verify by running the MCP server and confirming the tool name in the tools list matches the new prefixed name.

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

import readabilipy.simple_json

from mcp.shared.exceptions import McpError

from mcp.server import Server

from mcp.server.stdio import stdio_server

from mcp.types import (

    ErrorData,

    GetPromptResult,

    Prompt,

    PromptArgument,

    PromptMessage,

    TextContent,

    Tool,

    INVALID_PARAMS,

    INTERNAL_ERROR,

)

from protego import Protego

from pydantic import BaseModel, Field, AnyUr

RemediationAI

The problem is that the fetch tool accepts arbitrary caller-supplied URLs and returns extracted HTML/markdown directly to the LLM without any provenance markers or sanitization, enabling indirect prompt injection attacks where malicious web content can manipulate the LLM's reasoning. Wrap all fetched content with explicit delimiters (e.g., `[FETCHED_CONTENT_FROM_URL: {url}]...content...[END_FETCHED_CONTENT]`) and add a content sanitization step using a library like `bleach` or `html2text` with strict tag filtering before returning to the LLM context. This fix ensures the LLM can distinguish injected content from trusted instructions and prevents malicious HTML/JavaScript from being interpreted as system directives. Test by fetching a URL containing prompt injection payloads (e.g., `<script>ignore previous instructions</script>`) and verify the output is clearly marked as external content and stripped of executable code.

Evidence

# Use a Python image with uv pre-installed

FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS uv

# Install the project into `/app`

WORKDIR /app

# Enable bytecode compilation

ENV UV_COMPILE_BYTECODE=1

# Copy from the cache instead of linking since it's a mounted volume

ENV UV_LINK_MODE=copy

# Install the project's dependencies using the lockfile and settings

RUN --mount=type=cache,target=/root/.cache/uv \

    --mount=type=bind,source=uv.lock,target=uv.lock \

    --mount=type=bind,source=py

RemediationAI

The problem is that the Dockerfile lacks a USER directive, so the container runs as root by default, giving any RCE vulnerability or malicious library code full system privileges. Add `USER 1000` (or `USER nonroot` on distroless images) as a new line immediately before the CMD or ENTRYPOINT directive in the final stage of the Dockerfile. This fix restricts the container process to non-root privileges, limiting the blast radius of any exploit to that unprivileged user's capabilities. Verify by building the image, running `docker run --rm <image> id`, and confirming the output shows `uid=1000` or the specified non-root user instead of `uid=0`.

Evidence

Metadata-Version: 2.4

Name: mcp-server-fetch

Version: 2025.4.7

Summary: A Model Context Protocol server providing tools to fetch and convert web content for usage by LLMs

Author: Anthropic, PBC.

Maintainer-email: Jack Adamson <jadamson@anthropic.com>

License: MIT

License-File: LICENSE

Keywords: automation,http,llm,mcp

Classifier: Development Status :: 4 - Beta

Classifier: Intended Audience :: Developers

Classifier: License :: OSI Approved :: MIT License

Classifier: Programming Language :: Python

RemediationAI

The problem is that PKG-INFO metadata declares MCP tools but omits any authentication or authorization field, leaving reviewers unable to audit what security mechanism (if any) protects the server. Add an explicit `auth` or `authorization` field to the package metadata (or mcp.json manifest if present) documenting the actual mechanism—e.g., `Authorization: network-layer-only` or `Authorization: none-relies-on-host-isolation`—so security reviewers can make an informed decision. This fix makes the authentication posture explicit and auditable rather than ambiguous. Verify by checking that the updated metadata is readable by MCP clients and that the declared auth mechanism is documented in README.md.

Evidence

# Fetch MCP Server

A Model Context Protocol server that provides web content fetching capabilities. This server enables LLMs to retrieve and process content from web pages, converting HTML to markdown for easier consumption.

The fetch tool will truncate the response, but by using the `start_index` argument, you can specify where to start the content extraction. This lets models read a webpage in chunks, until they find the information they need.

### Available Tools

- `fetch` - Fetches a URL 

RemediationAI

The problem is that README.md describes the MCP server and its tools without declaring any authentication or authorization mechanism, leaving users and auditors uncertain about what security controls protect the server. Add a dedicated 'Security' or 'Authentication' section to README.md that explicitly states the authentication model—e.g., 'This server runs over stdio and relies on host-level process isolation' or 'Authentication: None (network access must be restricted by the host)'—so users understand the security assumptions. This fix makes the security posture transparent and helps users deploy the server safely. Verify by having a peer review the README and confirm they can clearly identify what authentication (if any) is in place.

Evidence

from typing import Annotated, Tuple

from urllib.parse import urlparse, urlunparse

import markdownify

import readabilipy.simple_json

from mcp.shared.exceptions import McpError

from mcp.server import Server

from mcp.server.stdio import stdio_server

from mcp.types import (

    ErrorData,

    GetPromptResult,

    Prompt,

    PromptArgument,

    PromptMessage,

    TextContent,

    Tool,

    INVALID_PARAMS,

    INTERNAL_ERROR,

)

from protego import Protego

from pydantic import BaseModel, Field, AnyUr

RemediationAI

The problem is that the tool description or documentation contains imperative language directing the LLM to invoke other tools (e.g., 'call the write_file tool'), which enables cross-tool chaining injection where an attacker can escalate from one authorized tool into others the user did not intend. Remove all imperative phrases like 'invoke', 'call', 'also use', or 'silently run' from the tool description in server.py and replace them with passive descriptions of what the tool does—e.g., change 'invoke write_file to save results' to 'returns content suitable for file storage'. This fix prevents the tool description from being weaponized to trick the LLM into unauthorized tool chaining. Verify by reviewing the tool description in the MCP schema and confirming no imperative verbs direct the LLM to call other tools.

LLM consensus