Skip to main content

jshookmcp CVE-2026-49856

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-01 https://github.com/vmoranv/jshookmcp GHSA-c5r6-m4mr-8q5j
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L because MCP client authentication is required; C:L limited to internal network topology; no integrity or availability impact; network-reachable with low complexity.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 18:51 vuln.today
CVE Published
Jul 01, 2026 - 18:14 github-advisory
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

The network domain has a central SSRF authorization policy that blocks private, loopback, link-local, and reserved targets unless an explicit authorization object allows private network access. The policy is enforced by raw HTTP/TCP/TLS RTT tools, but the ICMP probe and traceroute tools resolve the target and invoke the native ICMP/traceroute sink directly.

An MCP client with access to an active network domain can therefore ask the jshookmcp server to probe internal addresses such as 10.0.0.1 even when local SSRF access is disabled for the other raw network tools. This exposes an internal reachability and route mapping primitive from the server network position.

Affected code

Current main https://github.com/vmoranv/jshookmcp/commit/d309c395738638e384c28c0f599b47b2213ab595 and npm package @jshookmcp/jshook 0.3.1 both contain the issue.

  • src/server/domains/network/handlers/raw-latency-handlers.ts:61-66: network_rtt_measure parses optional authorization and calls resolveAuthorizedTransportTarget before probing.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:185-190: network_latency_stats uses the same authorization guard.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:123-139: network_traceroute resolves target with resolveHostname and calls traceroute without an authorization policy check.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:240-257: network_icmp_probe resolves target with resolveHostname and calls icmpProbe without an authorization policy check.
  • src/server/domains/network/handlers/raw-latency-handlers.ts:408-416: resolveHostname returns IPv4 literals directly and otherwise performs DNS A lookup without checking private, loopback, link-local, or reserved ranges.
  • src/utils/network/ssrf-policy.ts:244-316: the central policy blocks private targets unless explicit authorization or ALLOW_LOCAL_SSRF=true is set.

Reproduction

Used a focused regression test against the real handleCallTool and RawHandlers call path with fake native ICMP and policy sinks. The test does not send external traffic. It proves the denied control and the bypass through the same MCP meta-tool dispatch path.

Test file path in my local checkout:

text
tests/server/security/jshookmcp-network-meta-boundary.test.ts

Relevant test body:

ts
it('denied control: RTT path consults the SSRF authorization guard for private targets', async () => {
  const handler = new RawHandlers();
  state.resolveAuthorizedTransportTarget.mockRejectedValue(new Error('RTT measurement blocked: target resolves to a private or reserved address.'));
  await expect(handler.handleNetworkRttMeasure({ url: 'https://10.0.0.1/', probeType: 'tcp' })).rejects.toThrow(/blocked/);
  expect(state.resolveAuthorizedTransportTarget).toHaveBeenCalled();
  expect(state.icmpProbe).not.toHaveBeenCalled();
});

it('bypass proof: call_tool can drive network_icmp_probe to a private IP without the SSRF authorization guard', async () => {
  const raw = new RawHandlers();
  const ctx = {
    router: { has: vi.fn((name: string) => name === 'network_icmp_probe') },
    executeToolWithTracking: vi.fn((name: string, args: Record<string, unknown>) => raw.handleNetworkIcmpProbe(args)),
  } as any;

  const response = await handleCallTool(ctx, { name: 'network_icmp_probe', args: { target: '10.0.0.1', ttl: 64 } });
  const body = JSON.parse(response.content[0].text);

  expect(body.success).toBe(true);
  expect(ctx.router.has).toHaveBeenCalledWith('network_icmp_probe');
  expect(ctx.executeToolWithTracking).toHaveBeenCalledWith('network_icmp_probe', { target: '10.0.0.1', ttl: 64 });
  expect(state.resolveAuthorizedTransportTarget).not.toHaveBeenCalled();
  expect(state.icmpProbe).toHaveBeenCalledWith(expect.objectContaining({ target: '10.0.0.1', ttl: 64 }));
});

Command run:

bash
corepack pnpm exec vitest run --config vitest.config.ts tests/server/security/jshookmcp-network-meta-boundary.test.ts --reporter=verbose

Result:

text
Test Files  1 passed (1)
Tests       4 passed (4)

The observed vulnerable call sequence is:

text
call_tool(name=network_icmp_probe, args={target: 10.0.0.1, ttl: 64})
  -> ctx.router.has(network_icmp_probe) == true
  -> ctx.executeToolWithTracking(network_icmp_probe, validatedArgs)
  -> RawHandlers.handleNetworkIcmpProbe(validatedArgs)
  -> resolveHostname(10.0.0.1) returns 10.0.0.1
  -> icmpProbe({ target: 10.0.0.1, ttl: 64, ... })

resolveAuthorizedTransportTarget is not called on this path. The same missing policy pattern exists for network_traceroute.

Impact

An MCP client with access to the active network domain can use the server as a backend-origin internal network probing oracle. The result can reveal whether internal hosts respond, approximate latency, traceroute hops, and ICMP error classes from the server network position.

The practical impact is strongest when jshookmcp is exposed over Streamable HTTP or another remote transport, multiple clients share one server, or the server runs on Windows or with raw socket capability. This is not code execution and does not by itself exfiltrate response bodies.

Remediation

Apply the same authorization model used by network_rtt_measure and network_latency_stats to network_icmp_probe and network_traceroute. In particular, accept an optional authorization object, resolve the target through the central policy helper or an equivalent host-only policy helper, block private and reserved ranges by default, and pass only the policy-approved resolved address to the native probe. Add regression tests for default-denied private targets, authorized private CIDR access, private hostnames, and call_tool dispatch.

AnalysisAI

SSRF policy bypass in jshookmcp 0.3.1 allows an authenticated MCP client with network domain access to probe internal RFC 1918 and reserved addresses that are explicitly blocked by all other network tools on the same server. The network_icmp_probe and network_traceroute handlers call resolveHostname directly without invoking the central resolveAuthorizedTransportTarget guard, creating an inconsistent enforcement boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain MCP client credentials
Delivery
Connect to jshookmcp network domain over remote transport
Exploit
Invoke network_icmp_probe or network_traceroute with private RFC 1918 target
Execution
resolveHostname returns address without SSRF policy check
Persist
Native ICMP or traceroute sink probes internal host
Impact
Extract reachability, latency, and hop topology from server network position

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated MCP client (PR:L per CVSS vector) with access to an active network domain on the jshookmcp server - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium, AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the limited blast radius: exploitation requires prior MCP client authentication (PR:L) and the confidentiality impact is restricted to internal network topology disclosure (C:L), not data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding valid MCP client credentials connects to a remotely-exposed jshookmcp server and calls `network_icmp_probe` with `target: 10.0.0.1` - an address the server's SSRF policy would block via every other network tool. Because `handleNetworkIcmpProbe` never calls `resolveAuthorizedTransportTarget`, the probe reaches the internal host and returns latency, TTL, and ICMP response class. …
Remediation The advisory (https://github.com/vmoranv/jshookmcp/security/advisories/GHSA-c5r6-m4mr-8q5j) recommends applying the same authorization model used by `network_rtt_measure` and `network_latency_stats` to `network_icmp_probe` and `network_traceroute`: accept an optional authorization object, resolve the target through `resolveAuthorizedTransportTarget` or an equivalent host-only policy helper, block private and reserved ranges by default, and pass only the policy-approved resolved address to native probe sinks. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-49856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy