Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / loopback allowlist, but call_tool() and call_tool_streaming() reuse the resolved tool_call_template.url directly without revalidating. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare servers: [{ url: "http://169.254.169.254" }] (or any internal address) in the spec; the OpenAPI converter blindly trusts that value and the tool becomes a blind SSRF primitive that exposes cloud metadata, internal services, and other firewalled-only endpoints to the LLM caller.
All three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) shared the same gap, plus a separate prefix-bypass: the previous startswith("http://localhost") check let URLs like http://localhost.evil.com through.
Impact
A remote attacker who can convince the agent (via the LLM context, prompt injection, or a tool-discovery surface) to register their HTTPS OpenAPI URL can:
- Map internal networks behind the agent.
- Read AWS/GCP IAM credentials from cloud metadata endpoints (
http://169.254.169.254,http://metadata.google.internal). - Reach unauthenticated internal services (Elasticsearch, Redis HTTP, internal admin panels).
- Have responses returned to the LLM, which combined with prompt injection enables exfiltration back to the attacker.
Affected versions
utcp-http <= 1.1.1.
Patched versions
utcp-http 1.1.2.
Patch
Commit: 5b16e43 on dev.
- New
utcp_http._securityhelper:ensure_secure_url(url, context=...)parses the URL withurllib.parse.urlparseand validates the hostname (not a string prefix) against the loopback set, closing thelocalhost.evil.combypass. - All three protocols call
ensure_secure_url(url, context="manual discovery")inregister_manual(replacing the duplicated prefix check) andensure_secure_url(url, context="tool invocation")immediately before each aiohttp request incall_tool/call_tool_streaming. The runtime check is the actual SSRF fix. - New regression tests in
test_security.pypin the accept/reject decisions and explicitly cover the historical bypass cases.
Workarounds
For users who cannot upgrade immediately:
- Refuse to call
register_manualwith any URL controlled by an untrusted party, even over HTTPS. - Restrict outbound network access from the host running the agent so internal addresses (RFC1918, 169.254.0.0/16, loopback for cloud metadata) are unreachable.
Credit
Discovered and reported by @YLChen-007 in #83.
AnalysisAI
Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where call_tool() and call_tool_streaming() reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (localhost.evil.com bypassing startswith checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).
Technical ContextAI
The utcp-http plugin implements the Universal Tool Calling Protocol (UTCP) HTTP transport layer for LLM agent tool calling. It processes OpenAPI specifications (tool definitions) through an OpenAPI converter that extracts server URLs from the servers[0].url field in the specification. The vulnerability stems from a trust-boundary inconsistency: register_manual() validates discovery URLs against an HTTPS/loopback allowlist, but call_tool() and call_tool_streaming() in three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) directly reuse the tool_call_template.url resolved from the OpenAPI spec without re-validating it against security constraints. Additionally, the previous hostname validation used startswith('http://localhost') string matching, which fails to properly validate hostnames and allows bypasses like http://localhost.evil.com. The root cause is classified as CWE-918 (Server-Side Request Forgery), where user-controlled server declarations in an externally hosted OpenAPI spec are treated as trusted after initial discovery validation, but not re-validated at invocation time. The fix introduces a dedicated ensure_secure_url(url, context) security helper using urllib.parse.urlparse for proper hostname validation and applies it at both registration and invocation time.
RemediationAI
Upgrade utcp-http to version 1.1.2 or later, which includes the new ensure_secure_url(url, context) security validation helper that properly parses hostnames using urllib.parse.urlparse and re-validates URLs at both registration and invocation time. The patch is available via pip with pip install --upgrade utcp-http>=1.1.2 and is tracked in commit 5b16e43 on the dev branch of the upstream repository. For users unable to upgrade immediately, apply these workarounds: (1) Strictly refuse to call register_manual() with any OpenAPI URLs controlled by untrusted parties, even if served over HTTPS; verify OpenAPI specifications before registration. (2) Restrict outbound network access from the host running the agent so that internal address ranges (RFC1918 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, link-local 169.254.0.0/16, and localhost 127.0.0.1/32) are unreachable via firewall rules or host-level egress filtering-this prevents SSRF requests from reaching cloud metadata endpoints and internal services even if exploited. (3) Disable dynamic tool registration and maintain a static, pre-vetted allowlist of OpenAPI specifications. Note that these workarounds have trade-offs: network restriction may break legitimate use cases if the agent needs to call internal services, and static allowlists reduce flexibility. The patch is the recommended path forward.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30479
GHSA-39j6-4867-gg4w