{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mcp-from-openapi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","openapi","mcp-from-openapi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003emcp-from-openapi\u003c/code\u003e library, up to version 2.1.2, is susceptible to Server-Side Request Forgery (SSRF) attacks. This vulnerability arises from the library\u0026rsquo;s use of \u003ccode\u003e@apidevtools/json-schema-ref-parser\u003c/code\u003e to dereference \u003ccode\u003e$ref\u003c/code\u003e pointers in OpenAPI specifications without implementing any URL restrictions or custom resolvers. By crafting malicious OpenAPI specifications, an attacker can exploit this flaw to force the library to fetch internal network addresses, cloud metadata endpoints (like \u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e), or local files using \u003ccode\u003efile:///etc/passwd\u003c/code\u003e. This occurs during the \u003ccode\u003einitialize()\u003c/code\u003e call when processing the OpenAPI definition. Defenders should be aware that applications utilizing \u003ccode\u003emcp-from-openapi\u003c/code\u003e to process potentially untrusted OpenAPI specifications are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenAPI specification containing \u003ccode\u003e$ref\u003c/code\u003e pointers to internal resources, cloud metadata endpoints, or local files.\u003c/li\u003e\n\u003cli\u003eThe application using \u003ccode\u003emcp-from-openapi\u003c/code\u003e receives this crafted OpenAPI specification, for example, via user upload or network request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eOpenAPIToolGenerator.initialize()\u003c/code\u003e function is called, triggering the \u003ccode\u003e$ref\u003c/code\u003e dereferencing process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejson-schema-ref-parser\u003c/code\u003e library, lacking proper configuration, fetches the resources specified in the malicious \u003ccode\u003e$ref\u003c/code\u003e pointers.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e$ref\u003c/code\u003e points to a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e), the server attempts to retrieve sensitive cloud credentials.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e$ref\u003c/code\u003e points to an internal service, the server probes the internal network, potentially revealing information about available services.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e$ref\u003c/code\u003e points to a local file (e.g., \u003ccode\u003efile:///etc/passwd\u003c/code\u003e), the server reads the contents of the file and includes it in the dereferenced output.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information, such as cloud credentials or internal network configurations, enabling further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability in \u003ccode\u003emcp-from-openapi\u003c/code\u003e can have significant consequences. Attackers can steal cloud credentials by targeting metadata endpoints like \u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e, allowing them to compromise cloud infrastructure. The vulnerability also enables internal network scanning by probing internal services and ports, mapping out the internal network layout. Furthermore, attackers can read arbitrary files from the server\u0026rsquo;s filesystem using the \u003ccode\u003efile://\u003c/code\u003e protocol, potentially gaining access to sensitive configuration files or credentials. The affected packages include npm/mcp-from-openapi (vulnerable: \u0026lt;= 2.1.2), npm/@frontmcp/sdk (vulnerable: \u0026lt;= 1.0.3), and npm/@frontmcp/adapters (vulnerable: \u0026lt;= 1.0.3).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003emcp-from-openapi\u003c/code\u003e to a patched version if available, or implement a patch to restrict URL resolution as described in the suggested fix.\u003c/li\u003e\n\u003cli\u003eImplement input validation on OpenAPI specifications before processing them with \u003ccode\u003emcp-from-openapi\u003c/code\u003e to prevent malicious \u003ccode\u003e$ref\u003c/code\u003e values, mitigating CVE-2026-39885.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes running \u003ccode\u003emcp-from-openapi\u003c/code\u003e, alerting on connections to internal network addresses or cloud metadata endpoints using the network connection rule below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule that detects access to local files via the \u003ccode\u003efile://\u003c/code\u003e protocol to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T19:22:53Z","date_published":"2026-04-08T19:22:53Z","id":"/briefs/2026-04-mcp-from-openapi-ssrf/","summary":"The mcp-from-openapi library is vulnerable to Server-Side Request Forgery (SSRF) due to insecure handling of $ref pointers in OpenAPI specifications, allowing attackers to read local files, internal network resources, and cloud metadata endpoints by processing untrusted OpenAPI specifications.","title":"mcp-from-openapi SSRF Vulnerability via Untrusted OpenAPI Specifications","url":"https://feed.craftedsignal.io/briefs/2026-04-mcp-from-openapi-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Mcp-From-Openapi","version":"https://jsonfeed.org/version/1.1"}