GHSA-c5r6-m4mr-8q5j

Suggest an improvement
Source
https://github.com/advisories/GHSA-c5r6-m4mr-8q5j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-c5r6-m4mr-8q5j/GHSA-c5r6-m4mr-8q5j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c5r6-m4mr-8q5j
Aliases
  • CVE-2026-49856
Published
2026-07-01T18:14:57Z
Modified
2026-07-01T18:30:08.585146059Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization
Details

Summary

The network domain has a central SSRF authorization policy that blocks private, loopback, link-local, and reserved targets unless an explicit authorization object allows private network access. The policy is enforced by raw HTTP/TCP/TLS RTT tools, but the ICMP probe and traceroute tools resolve the target and invoke the native ICMP/traceroute sink directly.

An MCP client with access to an active network domain can therefore ask the jshookmcp server to probe internal addresses such as 10.0.0.1 even when local SSRF access is disabled for the other raw network tools. This exposes an internal reachability and route mapping primitive from the server network position.

Affected code

Current main https://github.com/vmoranv/jshookmcp/commit/d309c395738638e384c28c0f599b47b2213ab595 and npm package @jshookmcp/jshook 0.3.1 both contain the issue.

  • src/server/domains/network/handlers/raw-latency-handlers.ts:61-66: networkrttmeasure parses optional authorization and calls resolveAuthorizedTransportTarget before probing.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:185-190: networklatencystats uses the same authorization guard.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:123-139: network_traceroute resolves target with resolveHostname and calls traceroute without an authorization policy check.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:240-257: networkicmpprobe resolves target with resolveHostname and calls icmpProbe without an authorization policy check.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:408-416: resolveHostname returns IPv4 literals directly and otherwise performs DNS A lookup without checking private, loopback, link-local, or reserved ranges.
  • src/utils/network/ssrf-policy.ts:244-316: the central policy blocks private targets unless explicit authorization or ALLOWLOCALSSRF=true is set.

Reproduction

Used a focused regression test against the real handleCallTool and RawHandlers call path with fake native ICMP and policy sinks. The test does not send external traffic. It proves the denied control and the bypass through the same MCP meta-tool dispatch path.

Test file path in my local checkout:

tests/server/security/jshookmcp-network-meta-boundary.test.ts

Relevant test body:

it('denied control: RTT path consults the SSRF authorization guard for private targets', async () => {
  const handler = new RawHandlers();
  state.resolveAuthorizedTransportTarget.mockRejectedValue(new Error('RTT measurement blocked: target resolves to a private or reserved address.'));
  await expect(handler.handleNetworkRttMeasure({ url: 'https://10.0.0.1/', probeType: 'tcp' })).rejects.toThrow(/blocked/);
  expect(state.resolveAuthorizedTransportTarget).toHaveBeenCalled();
  expect(state.icmpProbe).not.toHaveBeenCalled();
});

it('bypass proof: call_tool can drive network_icmp_probe to a private IP without the SSRF authorization guard', async () => {
  const raw = new RawHandlers();
  const ctx = {
    router: { has: vi.fn((name: string) => name === 'network_icmp_probe') },
    executeToolWithTracking: vi.fn((name: string, args: Record<string, unknown>) => raw.handleNetworkIcmpProbe(args)),
  } as any;

  const response = await handleCallTool(ctx, { name: 'network_icmp_probe', args: { target: '10.0.0.1', ttl: 64 } });
  const body = JSON.parse(response.content[0].text);

  expect(body.success).toBe(true);
  expect(ctx.router.has).toHaveBeenCalledWith('network_icmp_probe');
  expect(ctx.executeToolWithTracking).toHaveBeenCalledWith('network_icmp_probe', { target: '10.0.0.1', ttl: 64 });
  expect(state.resolveAuthorizedTransportTarget).not.toHaveBeenCalled();
  expect(state.icmpProbe).toHaveBeenCalledWith(expect.objectContaining({ target: '10.0.0.1', ttl: 64 }));
});

Command run:

corepack pnpm exec vitest run --config vitest.config.ts tests/server/security/jshookmcp-network-meta-boundary.test.ts --reporter=verbose

Result:

Test Files  1 passed (1)
Tests       4 passed (4)

The observed vulnerable call sequence is:

call_tool(name=network_icmp_probe, args={target: 10.0.0.1, ttl: 64})
  -> ctx.router.has(network_icmp_probe) == true
  -> ctx.executeToolWithTracking(network_icmp_probe, validatedArgs)
  -> RawHandlers.handleNetworkIcmpProbe(validatedArgs)
  -> resolveHostname(10.0.0.1) returns 10.0.0.1
  -> icmpProbe({ target: 10.0.0.1, ttl: 64, ... })

resolveAuthorizedTransportTarget is not called on this path. The same missing policy pattern exists for network_traceroute.

Impact

An MCP client with access to the active network domain can use the server as a backend-origin internal network probing oracle. The result can reveal whether internal hosts respond, approximate latency, traceroute hops, and ICMP error classes from the server network position.

The practical impact is strongest when jshookmcp is exposed over Streamable HTTP or another remote transport, multiple clients share one server, or the server runs on Windows or with raw socket capability. This is not code execution and does not by itself exfiltrate response bodies.

Remediation

Apply the same authorization model used by networkrttmeasure and networklatencystats to networkicmpprobe and networktraceroute. In particular, accept an optional authorization object, resolve the target through the central policy helper or an equivalent host-only policy helper, block private and reserved ranges by default, and pass only the policy-approved resolved address to the native probe. Add regression tests for default-denied private targets, authorized private CIDR access, private hostnames, and calltool dispatch.

Database specific
{
    "github_reviewed_at": "2026-07-01T18:14:57Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / @jshookmcp/jshook

Package

Name
@jshookmcp/jshook
View open source insights on deps.dev
Purl
pkg:npm/%40jshookmcp%2Fjshook

Affected ranges

Type
SEMVER
Events
Introduced
0.3.1
Fixed
0.3.2

Affected versions

0.*
0.3.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-c5r6-m4mr-8q5j/GHSA-c5r6-m4mr-8q5j.json"