<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Auth-Fetch-Mcp &lt;= 3.0.1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/auth-fetch-mcp--3.0.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:43:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/auth-fetch-mcp--3.0.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>auth-fetch-mcp SSRF Protection Bypass via IPv4-mapped IPv6 Loopback</title><link>https://feed.craftedsignal.io/briefs/2026-07-auth-fetch-mcp-ssrf-bypass/</link><pubDate>Fri, 03 Jul 2026 12:43:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-auth-fetch-mcp-ssrf-bypass/</guid><description>auth-fetch-mcp versions up to and including 3.0.1 contain an SSRF protection bypass vulnerability (CVE-2026-49857) where the `isPrivateV6()` function fails to correctly identify IPv4-mapped IPv6 loopback addresses after Node.js URL normalization, allowing URLs like `http://[::ffff:127.0.0.1]:PORT/` to bypass the `assertSafeUrl()` check, enabling an attacker to coerce the `auth_fetch` or `download_media` tools to make requests to internal or loopback services and compromising the confidentiality of internal service responses.</description><content:encoded><![CDATA[<p>A high-severity Server-Side Request Forgery (SSRF) protection bypass vulnerability (CVE-2026-49857) has been identified in <code>auth-fetch-mcp</code> versions up to and including 3.0.1. The flaw resides in the <code>src/security.ts</code> module, specifically within the <code>isPrivateV6()</code> function, which is designed to prevent requests to private and loopback IP addresses. However, when a Node.js WHATWG URL parser hex-normalizes an IPv4-mapped IPv6 loopback address (e.g., <code>::ffff:127.0.0.1</code> becomes <code>::ffff:7f00:1</code>), the subsequent <code>net.isIPv4()</code> check incorrectly returns <code>false</code>. This bypasses the security control, allowing <code>auth_fetch</code> and <code>download_media</code> tools to access internal services. The issue has a CVSS v3.1 Base Score of 7.4 (High) and enables attackers to read sensitive information from internal services on the target system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker supplies a user-controlled URL argument (e.g., <code>http://[::ffff:127.0.0.1]:PORT/</code>) to the <code>auth_fetch</code> or <code>download_media</code> tools within <code>auth-fetch-mcp</code>.</li>
<li>The application's <code>navigateTo()</code> or <code>ctx.request.get()</code> function calls <code>assertSafeUrl()</code> to validate the provided URL against SSRF protections.</li>
<li>Inside <code>assertSafeUrl()</code>, the <code>isPrivateV6()</code> function is invoked to determine if the URL's hostname is a private IPv6 address.</li>
<li>The Node.js WHATWG URL parser silently normalizes the IPv4-mapped IPv6 address (e.g., <code>::ffff:127.0.0.1</code>) to its hex-normalized form (e.g., <code>::ffff:7f00:1</code>).</li>
<li><code>isPrivateV6()</code> attempts to check the normalized address but <code>net.isIPv4('7f00:1')</code> incorrectly returns <code>false</code> because <code>7f00:1</code> is not a dotted-decimal IPv4 string.</li>
<li>This incorrect <code>false</code> result causes the <code>isPrivateV6()</code> and subsequently <code>assertSafeUrl()</code> functions to treat the loopback address as safe, bypassing the intended SSRF protection.</li>
<li>The now &quot;validated&quot; URL, which points to an internal loopback service, is then used by <code>page.goto()</code> (for <code>auth_fetch</code>) or <code>ctx.request.get()</code> (for <code>download_media</code>) to issue an HTTP request.</li>
<li>The application fetches content from the specified internal service, extracts it, and returns it to the attacker, thereby compromising the confidentiality of internal service responses.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This Server-Side Request Forgery (SSRF) vulnerability allows an attacker who can control the <code>url</code> argument of <code>auth_fetch</code> or <code>download_media</code> to force the <code>auth-fetch-mcp</code> server to make HTTP requests to services on <code>127.0.0.1</code> or other private IPv4 ranges. This impacts end users running <code>auth-fetch-mcp</code> locally, where an attacker could read responses from local development servers, admin panels, or credential endpoints. Server-side deployments of <code>auth-fetch-mcp</code> face the same risk against internal network services. The confidentiality of internal service responses is fully compromised (C:H), as demonstrated by the ability to retrieve an <code>INTERNAL_SECRET_MARKER</code> from a simulated internal service. The integrity and availability of the target service are not directly affected.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-49857</strong>: Implement the proposed remediation outlined in the GHSA advisory, which involves decoding the hex-encoded IPv4-mapped suffix before passing it to <code>isPrivateV4()</code> in <code>src/security.ts</code>.</li>
<li><strong>Application-level Guard</strong>: Add a <code>BrowserContext</code> route guard in <code>src/browser.ts</code> to re-validate every navigation URL, including redirect targets, using <code>assertSafeUrl()</code> for enhanced protection.</li>
<li><strong>Review <code>auth-fetch-mcp</code> usage</strong>: If <code>auth-fetch-mcp</code> is exposed to user-controlled input, review configurations and consider restricting its ability to resolve arbitrary URLs until a patch for CVE-2026-49857 is available.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>vulnerability</category><category>bypass</category><category>node.js</category><category>initial-access</category><category>defense-evasion</category></item></channel></rss>