The Fetch MCP Server — Your Agent's Simplest Window to the Web (With the Lock Off)

At a glance: 81,600+ parent repo stars, ~141K weekly PyPI downloads, version 2025.4.7 (no new release since April 2025), 1 tool, CVE-2025-65513 (SSRF, CVSS 9.3) disclosed December 2025. Rating: 3.5/5. What It Does One tool: fetch . Takes a URL, returns markdown. Under the hood: HTTP request via httpx → robots.txt check → content extraction via readabilipy → markdown conversion via markdownify → truncation to max_length . Parameters: url (required), max_length (default 5000), start_index (for chunked reading), raw (unprocessed content). Setup: uvx mcp-server-fetch — one line, no API keys. What's New (March 2026) Bug fixes: Malformed input crash fix (PR #3515), httpx 0.28+ proxy compatibility (PR #3293). First-ever unit tests added January 2026. No new features — still one tool, no JavaScript rendering, no authenticated fetching. CVE-2025-65513 (SSRF, CVSS 9.3): is_ip_private() fails to validate private IPs. Server will fetch localhost , AWS metadata endpoints, and any internal address.