Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in the AWS HealthLake MCP Server, which facilitates AI assistant interaction with health data. The issue could allow an authenticated user to exfiltrate temporary AWS security credentials to an attacker-controlled server. The main concern is confirming relevance and exposure within your environment.
- A security flaw could leak sensitive access credentials.
- Protects AI-driven health data access and credentials.
- Verify if your AI assistant interactions are affected.
Attack Path
How an attacker could exploit the issue
An attacker with authenticated access could exploit a server-side request forgery vulnerability in the pagination handling of the AWS HealthLake MCP Server. By manipulating a `next_token` parameter, the attacker can trick the server into sending AWS temporary security credentials to an arbitrary endpoint. This occurs because the server fails to validate that pagination URLs remain within the expected HealthLake endpoint, allowing redirection to an attacker-controlled server.
- Authenticated user.
- Crafted `next_token` parameter.
- Exfiltrate AWS temporary credentials.
Live Threat
Current exploitation, exposure, and threat context
A server-side request forgery vulnerability exists in the pagination handling component of the AWS HealthLake MCP Server. When supported by the advisory's conditions, a remote authenticated user could potentially exfiltrate AWS temporary security credentials to an attacker-controlled server by manipulating the `next_token` parameter. This occurs because the server does not sufficiently validate that pagination URLs are directed back to the expected HealthLake endpoint, redirecting subsequent requests.
- AWS temporary security credentials.
- Crafted `next_token` parameter.
- Credentials exfiltrated to arbitrary endpoint.
Operational Fix
Recommended remediation, mitigation, and detection steps
Real-world action for this vulnerability falls to teams managing AWS HealthLake and the AI assistants interacting with it. The first practical step is to identify all instances of the affected `awslabs.healthlake-mcp-server`, determine their reachability and criticality, and confirm the accountable owner for remediation planning.
- Identify and confirm affected instances.
- Verify business criticality and exposure.
- Plan and coordinate remediation efforts.