Agentic tooling turns quiet developer laptops into hosts full of listening services: a local MCP server exposes an HTTP or SSE port for an IDE, an inference gateway proxies model calls, an agent daemon accepts control connections, a debug endpoint stays open after testing. Each is a network service, and most are stood up assuming only the developer can reach them. That assumption is the vulnerability.
These listeners multiply faster than anyone tracks them, frequently bind without authentication, and often front privileged capabilities: running tools, reading files, forwarding API calls with embedded credentials. Treating localhost as a security boundary is a mistake attackers have automated against.
How the attack works
There are two reliable ways to reach a listener assumed to be private. The first is the browser: a page the developer visits can issue requests to localhost from inside the victim's machine, and DNS rebinding lets a malicious site reach a service that never expected cross-origin traffic. The second is the network, because a service bound to a LAN interface, VPN address, or public IP is reachable by anyone who can route to it, and is found by continuous scanning. See browser AI security risks and controls.
Server-side request forgery ties these together. Many AI components fetch a caller-supplied URL or API base server-side, and an attacker who controls that value can pivot the component into requesting internal addresses like a metadata endpoint or admin service, using its own network position and credentials. Exposed LLM and agent infrastructure is now an active target class, with automated campaigns sweeping the address space for these ports, as in the LLM infrastructure mass-scanning and SSRF campaign.
Attack scenarios
- Malicious page pivots to localhost. An unauthenticated local MCP server listens on a fixed port. A page the developer opens, or a DNS-rebinding trick, drives the browser to call that port and invoke tools that read files or run commands with the developer's privileges.
- SSRF through an inference gateway. A gateway that forwards to a caller-configurable API base is tricked into fetching an internal URL, leaking a stored key or hitting a metadata service, as in the LiteLLM api_base SSRF and key leak.
- MCP server as an SSRF launch point. An MCP server that fetches URLs for the agent is steered toward internal endpoints and chained into command execution, as in the Atlassian MCP SSRF-to-RCE issue.
Related techniques
- Excessive MCP permissions - a reachable listener is only as dangerous as what it may do, so scope amplifies exposure, covered under excessive MCP permissions.
- Code execution - many listeners exist to run tools, so reaching one often means arbitrary code execution targeting the secrets and source it fronts.
Mitigations
- Inventory every listener the agent stack opens. You cannot firewall a port you do not know is open. Enumerate the MCP servers, gateways, and daemons on each endpoint and the ports they bind.
- Bind to loopback and authenticate anyway. Prefer localhost over routable interfaces, but still require a token, because loopback is reachable by the browser and by any local process.
- Constrain outbound fetches. For any component that retrieves a caller-supplied URL, deny requests to internal ranges and metadata addresses so an SSRF cannot pivot inward.
- Enforce at the tool-call boundary. When a listener exists to invoke tools, evaluate each call against policy before it runs, so a reached listener produces denied, logged attempts.
- Watch for drift. A debug port that opens after an update, or a service that binds to a new interface, is a change worth catching.
How Anomity helps
Anomity's lightweight, unprivileged Endpoint Sensor discovers the artifacts behind these listeners on every Windows, macOS, and Linux endpoint - the MCP servers, agents, and CLIs in the stack - and records each one's source, owner, version, and reach, so the software opening local ports becomes an inventory rather than a guess. It surfaces newly installed servers and configuration changes as change events, and on agents that expose a hook it evaluates each tool call and returns allow, deny, or log before it runs, containing a listener an attacker has reached. Violations route to SIEM, Slack, email, and Jira, and every event lands in a queryable 90-day audit trail that complements the EDR and network controls policing the ports.




