Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures

Summary

The read_only mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures.

Details

Impact

The enforcing of read_only mode in vulnerable versions could be bypassed by certain APOC procedures.

Patches

v0.6.0 release hardened the checks around the mode. The only way to guarantee the server actions is to limit the permissions of the db credentials available to the server.

Notes

Impacts for server-side request forgery vulnerabilities may depend on both the configuration of the vulnerable system as well as the presence of other systems in the environment that could be accessed as part of exploitation.

Recommended hardening

• Limit the apoc procedures to what's required
• Manage data loading privileges
• Don't relax the default settings without compensating controls
  • apoc.import.file.enabled is false by default
  • apoc.import.file.use_neo4j_config is true by default to restrict file imports to the import folder

Credits

We want to publicly recognise the contribution of Yotam Perkal from Pluto Security.