MCP server for SearXNG — private web search for Claude Code
The runtime MCP fetch tool accepts URLs and performs outbound HTTP requests. Its private-address protection is hostname-pattern based, so a public hostname resolving to a private address can bypass the check.
`build/src/fetch-utils.js` blocks private targets only by hostname text, without DNS/IP resolution.
build/src/fetch-utils.jsView on unpkg`build/src/tiers/raw.js` calls `fetch(url)` after that hostname-only check for MCP-requested URLs.
build/src/tiers/raw.jsView on unpkg`build/src/index.js` can expose an unauthenticated HTTP MCP server when configured beyond loopback.
build/src/index.jsView on unpkg`build/src/fetch-utils.js` blocks private targets only by hostname text, without DNS/IP resolution.
build/src/fetch-utils.jsView on unpkg`build/src/tiers/raw.js` calls `fetch(url)` after that hostname-only check for MCP-requested URLs.
build/src/tiers/raw.jsView on unpkg`build/src/index.js` can expose an unauthenticated HTTP MCP server when configured beyond loopback.
build/src/index.jsView on unpkg