Skip to main content

@utcp/http CVE-2026-45366

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-14 https://github.com/universal-tool-calling-protocol/typescript-utcp GHSA-r8j5-8747-88cm
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 22:15 vuln.today
Analysis Generated
May 14, 2026 - 22:15 vuln.today
CVE Published
May 14, 2026 - 20:55 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Summary

The @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the converter then produces tools whose URL points at internal services on the agent host.

A separate prefix-bypass also affected the discovery-time check: the previous startsWith('http://localhost') guard let URLs like http://localhost.evil.com through.

Sister advisory

This is the npm/TypeScript counterpart of GHSA-39j6-4867-gg4w / CVE-2026-44661 on the Python utcp-http package. Same vulnerability, same fix shape, same reporter.

Versions and patch state

  • @utcp/http <= 1.1.1 - vulnerable. Both the loopback-redirect (http://127.0.0.1) and the non-loopback internal-IP variants (e.g. http://169.254.169.254, http://10.0.0.5) succeed. Note: the streamable_http and sse callToolStreaming paths in 1.1.1 are TODO placeholders and don't actually fetch URLs, so the runtime SSRF surface in these protocols is currently confined to discovery - a future implementation must also call ensureSecureUrl before issuing the request.
  • @utcp/http 1.1.2 - full fix. Runtime revalidation in callTool closes the non-loopback variants; the OpenApiConverter rejects, at conversion time, any spec fetched from a non-loopback source that declares a loopback servers[0].url, closing the loopback-redirect variant.

Impact

A remote attacker who can convince the agent (via the LLM context, prompt injection, or a tool-discovery surface) to register their HTTPS OpenAPI URL can:

  • Map internal networks behind the agent.
  • Read AWS/GCP IAM credentials from cloud metadata endpoints (http://169.254.169.254, http://metadata.google.internal).
  • Reach unauthenticated internal services exposed on loopback (Elasticsearch, Redis HTTP, internal admin panels, the agent's own HTTP server).
  • Have responses returned to the LLM, which combined with prompt injection enables exfiltration back to the attacker.

Patch

Commit on dev: 21f63e6.

New helper packages/http/src/_security.ts exposes isSecureUrl, isLoopbackUrl, ensureSecureUrl. Hostname-based validation closes the prefix bypass (http://localhost.evil.com → rejected). All three protocols' registerManual now call ensureSecureUrl(url, 'manual discovery'); callTool re-checks the resolved URL with ensureSecureUrl(url, 'tool invocation') immediately before the axios request. OpenApiConverter rejects remote spec → loopback server.

Workarounds

For users who cannot upgrade immediately:

  • Refuse to call registerManual with any URL controlled by an untrusted party, even over HTTPS.
  • Restrict outbound network access from the host running the agent so internal addresses (RFC1918, 169.254.0.0/16, loopback) are unreachable.

Credit

Discovered and reported by @YLChen-007 against the Python sibling implementation (universal-tool-calling-protocol/python-utcp#83). The TypeScript port shared the same code shape and the same vulnerability.

AnalysisAI

Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.

Technical ContextAI

The vulnerability stems from a trust-boundary inconsistency in the Universal Tool Calling Protocol HTTP implementation. The registerManual() function validates discovery URLs against an HTTPS/loopback allowlist, but the downstream callTool() function and OpenApiConverter reuse resolved URLs without revalidation. The OpenApiConverter processes OpenAPI specifications and extracts the servers[0].url field without confirming that the URL's origin matches the spec's fetch origin. This allows an attacker to host a malicious spec on a trusted HTTPS endpoint while declaring internal IP addresses or loopback addresses as the tool endpoint. The prefix-bypass affects hostname validation logic that used startsWith('http://localhost') instead of proper hostname parsing, allowing domain names like localhost.evil.com to pass validation. The root cause is improper input validation (CWE-918: Server-Side Request Forgery) combined with insufficient URL canonicalization and cross-layer validation.

RemediationAI

Upgrade @utcp/http to version 1.1.2 immediately, which includes runtime revalidation of URLs in callTool() via the new ensureSecureUrl() helper and rejects remote-fetched OpenAPI specs that declare loopback server URLs at conversion time. For users unable to upgrade immediately, implement network-level mitigations: restrict outbound network access from hosts running the agent so that RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and loopback (127.0.0.0/8) are unreachable via egress filtering. Additionally, enforce strict policies prohibiting calls to registerManual() with any URL controlled by untrusted parties, even over HTTPS; this requires either operator discipline or automated prompt filtering to prevent LLM-driven registration of attacker URLs. The network isolation workaround has the trade-off of blocking legitimate internal tool integrations, so it should be combined with allowlist-based egress rules if internal services must be reached. See https://github.com/universal-tool-calling-protocol/typescript-utcp/security/advisories/GHSA-r8j5-8747-88cm for official guidance.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-45366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy