{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/auth-fetch-mcp--3.0.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["auth-fetch-mcp \u003c= 3.0.1"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","bypass","node.js","initial-access","defense-evasion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity Server-Side Request Forgery (SSRF) protection bypass vulnerability (CVE-2026-49857) has been identified in \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e versions up to and including 3.0.1. The flaw resides in the \u003ccode\u003esrc/security.ts\u003c/code\u003e module, specifically within the \u003ccode\u003eisPrivateV6()\u003c/code\u003e function, which is designed to prevent requests to private and loopback IP addresses. However, when a Node.js WHATWG URL parser hex-normalizes an IPv4-mapped IPv6 loopback address (e.g., \u003ccode\u003e::ffff:127.0.0.1\u003c/code\u003e becomes \u003ccode\u003e::ffff:7f00:1\u003c/code\u003e), the subsequent \u003ccode\u003enet.isIPv4()\u003c/code\u003e check incorrectly returns \u003ccode\u003efalse\u003c/code\u003e. This bypasses the security control, allowing \u003ccode\u003eauth_fetch\u003c/code\u003e and \u003ccode\u003edownload_media\u003c/code\u003e tools to access internal services. The issue has a CVSS v3.1 Base Score of 7.4 (High) and enables attackers to read sensitive information from internal services on the target system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker supplies a user-controlled URL argument (e.g., \u003ccode\u003ehttp://[::ffff:127.0.0.1]:PORT/\u003c/code\u003e) to the \u003ccode\u003eauth_fetch\u003c/code\u003e or \u003ccode\u003edownload_media\u003c/code\u003e tools within \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application's \u003ccode\u003enavigateTo()\u003c/code\u003e or \u003ccode\u003ectx.request.get()\u003c/code\u003e function calls \u003ccode\u003eassertSafeUrl()\u003c/code\u003e to validate the provided URL against SSRF protections.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eassertSafeUrl()\u003c/code\u003e, the \u003ccode\u003eisPrivateV6()\u003c/code\u003e function is invoked to determine if the URL's hostname is a private IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe Node.js WHATWG URL parser silently normalizes the IPv4-mapped IPv6 address (e.g., \u003ccode\u003e::ffff:127.0.0.1\u003c/code\u003e) to its hex-normalized form (e.g., \u003ccode\u003e::ffff:7f00:1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eisPrivateV6()\u003c/code\u003e attempts to check the normalized address but \u003ccode\u003enet.isIPv4('7f00:1')\u003c/code\u003e incorrectly returns \u003ccode\u003efalse\u003c/code\u003e because \u003ccode\u003e7f00:1\u003c/code\u003e is not a dotted-decimal IPv4 string.\u003c/li\u003e\n\u003cli\u003eThis incorrect \u003ccode\u003efalse\u003c/code\u003e result causes the \u003ccode\u003eisPrivateV6()\u003c/code\u003e and subsequently \u003ccode\u003eassertSafeUrl()\u003c/code\u003e functions to treat the loopback address as safe, bypassing the intended SSRF protection.\u003c/li\u003e\n\u003cli\u003eThe now \u0026quot;validated\u0026quot; URL, which points to an internal loopback service, is then used by \u003ccode\u003epage.goto()\u003c/code\u003e (for \u003ccode\u003eauth_fetch\u003c/code\u003e) or \u003ccode\u003ectx.request.get()\u003c/code\u003e (for \u003ccode\u003edownload_media\u003c/code\u003e) to issue an HTTP request.\u003c/li\u003e\n\u003cli\u003eThe application fetches content from the specified internal service, extracts it, and returns it to the attacker, thereby compromising the confidentiality of internal service responses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis Server-Side Request Forgery (SSRF) vulnerability allows an attacker who can control the \u003ccode\u003eurl\u003c/code\u003e argument of \u003ccode\u003eauth_fetch\u003c/code\u003e or \u003ccode\u003edownload_media\u003c/code\u003e to force the \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e server to make HTTP requests to services on \u003ccode\u003e127.0.0.1\u003c/code\u003e or other private IPv4 ranges. This impacts end users running \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e locally, where an attacker could read responses from local development servers, admin panels, or credential endpoints. Server-side deployments of \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e face the same risk against internal network services. The confidentiality of internal service responses is fully compromised (C:H), as demonstrated by the ability to retrieve an \u003ccode\u003eINTERNAL_SECRET_MARKER\u003c/code\u003e from a simulated internal service. The integrity and availability of the target service are not directly affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-49857\u003c/strong\u003e: Implement the proposed remediation outlined in the GHSA advisory, which involves decoding the hex-encoded IPv4-mapped suffix before passing it to \u003ccode\u003eisPrivateV4()\u003c/code\u003e in \u003ccode\u003esrc/security.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication-level Guard\u003c/strong\u003e: Add a \u003ccode\u003eBrowserContext\u003c/code\u003e route guard in \u003ccode\u003esrc/browser.ts\u003c/code\u003e to re-validate every navigation URL, including redirect targets, using \u003ccode\u003eassertSafeUrl()\u003c/code\u003e for enhanced protection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e usage\u003c/strong\u003e: If \u003ccode\u003eauth-fetch-mcp\u003c/code\u003e is exposed to user-controlled input, review configurations and consider restricting its ability to resolve arbitrary URLs until a patch for CVE-2026-49857 is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:43:47Z","date_published":"2026-07-03T12:43:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-auth-fetch-mcp-ssrf-bypass/","summary":"auth-fetch-mcp versions up to and including 3.0.1 contain an SSRF protection bypass vulnerability (CVE-2026-49857) where the `isPrivateV6()` function fails to correctly identify IPv4-mapped IPv6 loopback addresses after Node.js URL normalization, allowing URLs like `http://[::ffff:127.0.0.1]:PORT/` to bypass the `assertSafeUrl()` check, enabling an attacker to coerce the `auth_fetch` or `download_media` tools to make requests to internal or loopback services and compromising the confidentiality of internal service responses.","title":"auth-fetch-mcp SSRF Protection Bypass via IPv4-mapped IPv6 Loopback","url":"https://feed.craftedsignal.io/briefs/2026-07-auth-fetch-mcp-ssrf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Auth-Fetch-Mcp \u003c= 3.0.1","version":"https://jsonfeed.org/version/1.1"}