auth-fetch-mcp SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
auth-fetch-mcp versions up to and including 3.0.1 contain an SSRF protection bypass vulnerability (CVE-2026-49857) where the `isPrivateV6()` function fails to correctly identify IPv4-mapped IPv6 loopback addresses after Node.js URL normalization, allowing URLs like `http://[::ffff:127.0.0.1]:PORT/` to bypass the `assertSafeUrl()` check, enabling an attacker to coerce the `auth_fetch` or `download_media` tools to make requests to internal or loopback services and compromising the confidentiality of internal service responses.
A high-severity Server-Side Request Forgery (SSRF) protection bypass vulnerability (CVE-2026-49857) has been identified in auth-fetch-mcp versions up to and including 3.0.1. The flaw resides in the src/security.ts module, specifically within the isPrivateV6() function, which is designed to prevent requests to private and loopback IP addresses. However, when a Node.js WHATWG URL parser hex-normalizes an IPv4-mapped IPv6 loopback address (e.g., ::ffff:127.0.0.1 becomes ::ffff:7f00:1), the subsequent net.isIPv4() check incorrectly returns false. This bypasses the security control, allowing auth_fetch and download_media tools to access internal services. The issue has a CVSS v3.1 Base Score of 7.4 (High) and enables attackers to read sensitive information from internal services on the target system.
Attack Chain
- An attacker supplies a user-controlled URL argument (e.g.,
http://[::ffff:127.0.0.1]:PORT/) to theauth_fetchordownload_mediatools withinauth-fetch-mcp. - The application's
navigateTo()orctx.request.get()function callsassertSafeUrl()to validate the provided URL against SSRF protections. - Inside
assertSafeUrl(), theisPrivateV6()function is invoked to determine if the URL's hostname is a private IPv6 address. - The Node.js WHATWG URL parser silently normalizes the IPv4-mapped IPv6 address (e.g.,
::ffff:127.0.0.1) to its hex-normalized form (e.g.,::ffff:7f00:1). isPrivateV6()attempts to check the normalized address butnet.isIPv4('7f00:1')incorrectly returnsfalsebecause7f00:1is not a dotted-decimal IPv4 string.- This incorrect
falseresult causes theisPrivateV6()and subsequentlyassertSafeUrl()functions to treat the loopback address as safe, bypassing the intended SSRF protection. - The now "validated" URL, which points to an internal loopback service, is then used by
page.goto()(forauth_fetch) orctx.request.get()(fordownload_media) to issue an HTTP request. - The application fetches content from the specified internal service, extracts it, and returns it to the attacker, thereby compromising the confidentiality of internal service responses.
Impact
This Server-Side Request Forgery (SSRF) vulnerability allows an attacker who can control the url argument of auth_fetch or download_media to force the auth-fetch-mcp server to make HTTP requests to services on 127.0.0.1 or other private IPv4 ranges. This impacts end users running auth-fetch-mcp locally, where an attacker could read responses from local development servers, admin panels, or credential endpoints. Server-side deployments of auth-fetch-mcp face the same risk against internal network services. The confidentiality of internal service responses is fully compromised (C:H), as demonstrated by the ability to retrieve an INTERNAL_SECRET_MARKER from a simulated internal service. The integrity and availability of the target service are not directly affected.
Recommendation
- Patch CVE-2026-49857: Implement the proposed remediation outlined in the GHSA advisory, which involves decoding the hex-encoded IPv4-mapped suffix before passing it to
isPrivateV4()insrc/security.ts. - Application-level Guard: Add a
BrowserContextroute guard insrc/browser.tsto re-validate every navigation URL, including redirect targets, usingassertSafeUrl()for enhanced protection. - Review
auth-fetch-mcpusage: Ifauth-fetch-mcpis exposed to user-controlled input, review configurations and consider restricting its ability to resolve arbitrary URLs until a patch for CVE-2026-49857 is available.