Python Utcp
Monthly
Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.