jshookmcp CVE-2026-49856
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
PR:L because MCP client authentication is required; C:L limited to internal network topology; no integrity or availability impact; network-reachable with low complexity.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The network domain has a central SSRF authorization policy that blocks private, loopback, link-local, and reserved targets unless an explicit authorization object allows private network access. The policy is enforced by raw HTTP/TCP/TLS RTT tools, but the ICMP probe and traceroute tools resolve the target and invoke the native ICMP/traceroute sink directly.
An MCP client with access to an active network domain can therefore ask the jshookmcp server to probe internal addresses such as 10.0.0.1 even when local SSRF access is disabled for the other raw network tools. This exposes an internal reachability and route mapping primitive from the server network position.
Affected code
Current main https://github.com/vmoranv/jshookmcp/commit/d309c395738638e384c28c0f599b47b2213ab595 and npm package @jshookmcp/jshook 0.3.1 both contain the issue.
- src/server/domains/network/handlers/raw-latency-handlers.ts:61-66: network_rtt_measure parses optional authorization and calls resolveAuthorizedTransportTarget before probing.
- src/server/domains/network/handlers/raw-latency-handlers.ts:185-190: network_latency_stats uses the same authorization guard.
- src/server/domains/network/handlers/raw-latency-handlers.ts:123-139: network_traceroute resolves target with resolveHostname and calls traceroute without an authorization policy check.
- src/server/domains/network/handlers/raw-latency-handlers.ts:240-257: network_icmp_probe resolves target with resolveHostname and calls icmpProbe without an authorization policy check.
- src/server/domains/network/handlers/raw-latency-handlers.ts:408-416: resolveHostname returns IPv4 literals directly and otherwise performs DNS A lookup without checking private, loopback, link-local, or reserved ranges.
- src/utils/network/ssrf-policy.ts:244-316: the central policy blocks private targets unless explicit authorization or ALLOW_LOCAL_SSRF=true is set.
Reproduction
Used a focused regression test against the real handleCallTool and RawHandlers call path with fake native ICMP and policy sinks. The test does not send external traffic. It proves the denied control and the bypass through the same MCP meta-tool dispatch path.
Test file path in my local checkout:
tests/server/security/jshookmcp-network-meta-boundary.test.tsRelevant test body:
it('denied control: RTT path consults the SSRF authorization guard for private targets', async () => {
const handler = new RawHandlers();
state.resolveAuthorizedTransportTarget.mockRejectedValue(new Error('RTT measurement blocked: target resolves to a private or reserved address.'));
await expect(handler.handleNetworkRttMeasure({ url: 'https://10.0.0.1/', probeType: 'tcp' })).rejects.toThrow(/blocked/);
expect(state.resolveAuthorizedTransportTarget).toHaveBeenCalled();
expect(state.icmpProbe).not.toHaveBeenCalled();
});
it('bypass proof: call_tool can drive network_icmp_probe to a private IP without the SSRF authorization guard', async () => {
const raw = new RawHandlers();
const ctx = {
router: { has: vi.fn((name: string) => name === 'network_icmp_probe') },
executeToolWithTracking: vi.fn((name: string, args: Record<string, unknown>) => raw.handleNetworkIcmpProbe(args)),
} as any;
const response = await handleCallTool(ctx, { name: 'network_icmp_probe', args: { target: '10.0.0.1', ttl: 64 } });
const body = JSON.parse(response.content[0].text);
expect(body.success).toBe(true);
expect(ctx.router.has).toHaveBeenCalledWith('network_icmp_probe');
expect(ctx.executeToolWithTracking).toHaveBeenCalledWith('network_icmp_probe', { target: '10.0.0.1', ttl: 64 });
expect(state.resolveAuthorizedTransportTarget).not.toHaveBeenCalled();
expect(state.icmpProbe).toHaveBeenCalledWith(expect.objectContaining({ target: '10.0.0.1', ttl: 64 }));
});Command run:
corepack pnpm exec vitest run --config vitest.config.ts tests/server/security/jshookmcp-network-meta-boundary.test.ts --reporter=verboseResult:
Test Files 1 passed (1)
Tests 4 passed (4)The observed vulnerable call sequence is:
call_tool(name=network_icmp_probe, args={target: 10.0.0.1, ttl: 64})
-> ctx.router.has(network_icmp_probe) == true
-> ctx.executeToolWithTracking(network_icmp_probe, validatedArgs)
-> RawHandlers.handleNetworkIcmpProbe(validatedArgs)
-> resolveHostname(10.0.0.1) returns 10.0.0.1
-> icmpProbe({ target: 10.0.0.1, ttl: 64, ... })resolveAuthorizedTransportTarget is not called on this path. The same missing policy pattern exists for network_traceroute.
Impact
An MCP client with access to the active network domain can use the server as a backend-origin internal network probing oracle. The result can reveal whether internal hosts respond, approximate latency, traceroute hops, and ICMP error classes from the server network position.
The practical impact is strongest when jshookmcp is exposed over Streamable HTTP or another remote transport, multiple clients share one server, or the server runs on Windows or with raw socket capability. This is not code execution and does not by itself exfiltrate response bodies.
Remediation
Apply the same authorization model used by network_rtt_measure and network_latency_stats to network_icmp_probe and network_traceroute. In particular, accept an optional authorization object, resolve the target through the central policy helper or an equivalent host-only policy helper, block private and reserved ranges by default, and pass only the policy-approved resolved address to the native probe. Add regression tests for default-denied private targets, authorized private CIDR access, private hostnames, and call_tool dispatch.
AnalysisAI
SSRF policy bypass in jshookmcp 0.3.1 allows an authenticated MCP client with network domain access to probe internal RFC 1918 and reserved addresses that are explicitly blocked by all other network tools on the same server. The network_icmp_probe and network_traceroute handlers call resolveHostname directly without invoking the central resolveAuthorizedTransportTarget guard, creating an inconsistent enforcement boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated MCP client (PR:L per CVSS vector) with access to an active network domain on the jshookmcp server - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium, AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the limited blast radius: exploitation requires prior MCP client authentication (PR:L) and the confidentiality impact is restricted to internal network topology disclosure (C:L), not data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding valid MCP client credentials connects to a remotely-exposed jshookmcp server and calls `network_icmp_probe` with `target: 10.0.0.1` - an address the server's SSRF policy would block via every other network tool. Because `handleNetworkIcmpProbe` never calls `resolveAuthorizedTransportTarget`, the probe reaches the internal host and returns latency, TTL, and ICMP response class. … |
| Remediation | The advisory (https://github.com/vmoranv/jshookmcp/security/advisories/GHSA-c5r6-m4mr-8q5j) recommends applying the same authorization model used by `network_rtt_measure` and `network_latency_stats` to `network_icmp_probe` and `network_traceroute`: accept an optional authorization object, resolve the target through `resolveAuthorizedTransportTarget` or an equivalent host-only policy helper, block private and reserved ranges by default, and pass only the policy-approved resolved address to native probe sinks. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c5r6-m4mr-8q5j