{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/aas-ee/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["open-webSearch"],"_cs_severities":["critical"],"_cs_tags":["ssrf","open-websearch","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Aas-ee"],"content_html":"\u003cp\u003eOpen-WebSearch is vulnerable to a Server-Side Request Forgery (SSRF) in the \u003ccode\u003efetchWebContent\u003c/code\u003e tool. This vulnerability stems from two primary defects in the \u003ccode\u003eisPublicHttpUrl\u003c/code\u003e function within \u003ccode\u003esrc/utils/urlSafety.ts\u003c/code\u003e. First, the function fails to recognize bracketed IPv6 literals, like \u003ccode\u003e[::1]\u003c/code\u003e, allowing them to bypass the private network checks. Second, the function lacks DNS resolution for hostnames, meaning that any attacker-controlled hostname resolving to a private IP address (e.g., 127.0.0.1) will pass the validation. Successful exploitation allows an attacker to make the server fetch content from internal resources. The vulnerability exists in version HEAD as of 2026-05-05. Because the tool returns the response body to the MCP caller, the SSRF is non-blind. The vulnerability is exploitable over stdio and is pre-auth when \u003ccode\u003eenableHttpServer\u003c/code\u003e is set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint to initialize an MCP session, obtaining an \u003ccode\u003emcp-session-id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another POST request to \u003ccode\u003e/mcp\u003c/code\u003e with the \u003ccode\u003enotifications/initialized\u003c/code\u003e method and the obtained \u003ccode\u003emcp-session-id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request to \u003ccode\u003e/mcp\u003c/code\u003e with the \u003ccode\u003etools/call\u003c/code\u003e method to invoke the \u003ccode\u003efetchWebContent\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a URL containing a bracketed IPv6 literal (e.g., \u003ccode\u003ehttp://[::ffff:7f00:1]:19999/internal\u003c/code\u003e) or an attacker-controlled hostname resolving to a private IP address as the target.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisPublicHttpUrl\u003c/code\u003e function fails to properly validate the URL due to the defects in IPv6 literal recognition and lack of DNS resolution.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetchWebContent\u003c/code\u003e tool uses \u003ccode\u003eaxios.get\u003c/code\u003e to fetch content from the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eThe response from the internal resource is retrieved and formatted as JSON.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetchWebContent\u003c/code\u003e tool returns the content to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SSRF vulnerability allows an attacker to make the Open-WebSearch server fetch content from arbitrary private-network URLs. This includes AWS EC2 metadata endpoints, internal dashboards, services running on loopback, and RFC1918 neighbors. The vulnerability is pre-authentication when the \u003ccode\u003eenableHttpServer\u003c/code\u003e configuration is enabled, potentially leading to full system compromise or data exfiltration from internal services. Furthermore, the CORS \u003ccode\u003e*\u003c/code\u003e configuration on \u003ccode\u003e/mcp\u003c/code\u003e allows for DNS rebinding attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetectOpenWebSearchSSRFIPv6\u003c/code\u003e Sigma rule to detect attempts to exploit the IPv6 bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetectOpenWebSearchfetchWebContent\u003c/code\u003e Sigma rule to detect usage of the vulnerable fetchWebContent tool.\u003c/li\u003e\n\u003cli\u003eRestrict access to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint by implementing authentication and access controls to prevent unauthorized tool execution, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the Open-WebSearch server to identify any unexpected or unauthorized connections to internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T20:51:45Z","date_published":"2026-05-05T20:51:45Z","id":"/briefs/2024-01-open-websearch-ssrf/","summary":"Open-WebSearch has a Server-Side Request Forgery (SSRF) vulnerability in the `fetchWebContent` MCP tool due to improper validation of IPv6 literals and lack of DNS resolution, allowing attackers to fetch arbitrary private-network URLs and receive the response body.","title":"Open-WebSearch SSRF Vulnerability in fetchWebContent Tool","url":"https://feed.craftedsignal.io/briefs/2024-01-open-websearch-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Aas-Ee","version":"https://jsonfeed.org/version/1.1"}