{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/flytohub/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flyto-core 2.26.2"],"_cs_severities":["critical"],"_cs_tags":["unauthenticated-rce","command-injection","web-application","ghsa","linux"],"_cs_type":"advisory","_cs_vendors":["flytohub"],"content_html":"\u003cp\u003eflyto-core, an application leveraging FastAPI, is susceptible to an unauthenticated command execution vulnerability. This flaw exists within its HTTP MCP endpoint (\u003ccode\u003ePOST /mcp\u003c/code\u003e), which lacks proper authentication and authorization checks. Discovered on 2026-07-06, the vulnerability allows unauthenticated attackers to send JSON-RPC \u003ccode\u003etools/call\u003c/code\u003e requests that are then dispatched to arbitrary internal modules, including \u003ccode\u003esandbox.execute_shell\u003c/code\u003e. This specific module executes attacker-controlled input directly via \u003ccode\u003easyncio.create_subprocess_shell\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e, bypassing security controls. By default, flyto-core binds to \u003ccode\u003e127.0.0.1\u003c/code\u003e, making it a high-severity local vulnerability (CVSS 8.4); however, if configured to bind to \u003ccode\u003e--host 0.0.0.0\u003c/code\u003e, it becomes remotely exploitable, enabling full system compromise with root privileges as demonstrated in dynamic reproductions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an unauthenticated HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint of a vulnerable flyto-core server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emcp_router\u003c/code\u003e (mounted at \u003ccode\u003esrc/core/api/server.py:75-78\u003c/code\u003e) receives the request without requiring authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emcp_post\u003c/code\u003e function (\u003ccode\u003esrc/core/api/routes/mcp.py:65-66\u003c/code\u003e) processes the request body, which is an attacker-controlled JSON-RPC payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandle_jsonrpc_request\u003c/code\u003e function (\u003ccode\u003esrc/core/api/routes/mcp.py:103-104\u003c/code\u003e) forwards the JSON-RPC item containing a \u003ccode\u003etools/call\u003c/code\u003e method with \u003ccode\u003ename: execute_module\u003c/code\u003e and \u003ccode\u003emodule_id: sandbox.execute_shell\u003c/code\u003e to the module dispatcher.\u003c/li\u003e\n\u003cli\u003eThe module registry (\u003ccode\u003esrc/core/mcp_handler.py:180\u003c/code\u003e) resolves \u003ccode\u003esandbox.execute_shell\u003c/code\u003e and invokes it with attacker-supplied \u003ccode\u003eparams\u003c/code\u003e, including a \u003ccode\u003ecommand\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esandbox.execute_shell\u003c/code\u003e module (\u003ccode\u003esrc/core/modules/atomic/sandbox/execute_shell.py:137-139\u003c/code\u003e) extracts the \u003ccode\u003ecommand\u003c/code\u003e directly from \u003ccode\u003eparams\u003c/code\u003e without sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecommand\u003c/code\u003e is passed to \u003ccode\u003easyncio.create_subprocess_shell\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e (\u003ccode\u003esrc/core/modules/atomic/sandbox/execute_shell.py:163-169\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe flyto-core server process executes the arbitrary OS command supplied by the attacker, with the privileges of the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis unauthenticated command execution vulnerability carries critical impact. Any local process can exploit the vulnerability if \u003ccode\u003eflyto serve\u003c/code\u003e is running on a workstation, leading to arbitrary file operations, credential exfiltration, or lateral movement. More severely, if \u003ccode\u003eflyto-core\u003c/code\u003e is exposed externally (e.g., bound to \u003ccode\u003e0.0.0.0\u003c/code\u003e), unauthenticated remote attackers can achieve full system compromise with \u003ccode\u003eroot\u003c/code\u003e privileges, as confirmed by dynamic reproduction. The vulnerability affects developers and local users running the service, as well as infrastructure operators who expose the API without proper network-level access controls. Consequences include complete host takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect unauthenticated POST requests to \u003ccode\u003e/mcp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect webserver logs for HTTP POST requests to the \u003ccode\u003e/mcp\u003c/code\u003e URI as an indicator of attempted exploitation.\u003c/li\u003e\n\u003cli\u003ePatch affected flyto-core instances immediately by applying the recommended code changes from the source, specifically ensuring \u003ccode\u003erequire_auth\u003c/code\u003e dependency for \u003ccode\u003e/mcp\u003c/code\u003e routes and adding \u003ccode\u003esandbox.*\u003c/code\u003e to the \u003ccode\u003e_DEFAULT_DENYLIST\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:45:25Z","date_published":"2026-07-06T17:45:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/","summary":"flyto-core is vulnerable to unauthenticated command execution via its HTTP MCP endpoint (`POST /mcp`), allowing remote attackers to execute arbitrary OS commands with server privileges by invoking `sandbox.execute_shell` through JSON-RPC requests, potentially leading to full system compromise.","title":"flyto-core Unauthenticated Command Execution via HTTP MCP `execute_module`","url":"https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["flyto-core"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","python","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["flytohub"],"content_html":"\u003cp\u003eThe \u003ccode\u003eflyto-core\u003c/code\u003e application, developed by flytohub, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CWE-918, in its \u003ccode\u003evalidate_url_ssrf\u003c/code\u003e function, specifically within the \u003ccode\u003eis_private_ip\u003c/code\u003e helper in \u003ccode\u003esrc/core/utils.py\u003c/code\u003e. This vulnerability, published on 2026-07-06, allows an authenticated workflow author to bypass the intended SSRF protection by utilizing IPv6 transition addresses. The application's guard, designed to block access to private and cloud metadata services, fails to correctly identify private IP addresses embedded within IPv4-mapped, 6to4, or NAT64 IPv6 formats. This oversight enables attackers to craft URLs using these unblocked IPv6 forms to access internal resources like cloud instance metadata services (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e) or internal loopback services. The response body from these internal services is then returned to the attacker, resulting in a read SSRF that can lead to the exfiltration of sensitive information, such as IAM credentials. This bypass directly undermines the project's documented security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA workflow author, possessing valid authentication credentials for \u003ccode\u003eflyto-core\u003c/code\u003e's Execution API (\u003ccode\u003ePOST /v1/execute\u003c/code\u003e), prepares to execute a module.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing an IPv6 transition-form host, such as \u003ccode\u003ehttp://[::ffff:127.0.0.1]:8080/\u003c/code\u003e for loopback access or \u003ccode\u003ehttp://[64:ff9b::a9fe:a9fe]/latest/meta-data/\u003c/code\u003e for cloud instance metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003ehttp://127.0.0.1:8333/v1/execute\u003c/code\u003e with a JSON payload including \u003ccode\u003e{\u0026quot;module_id\u0026quot;:\u0026quot;http.get\u0026quot;, \u0026quot;params\u0026quot;:{\u0026quot;url\u0026quot;:\u0026quot;[malicious_url]\u0026quot;}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eflyto-core\u003c/code\u003e application invokes \u003ccode\u003evalidate_url_ssrf\u003c/code\u003e, which calls \u003ccode\u003eis_private_ip()\u003c/code\u003e on the IPv6 transition address. Due to the vulnerability, \u003ccode\u003eis_private_ip()\u003c/code\u003e incorrectly returns \u003ccode\u003eFalse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttp.get\u003c/code\u003e atomic module proceeds to initiate an outbound HTTP GET request using \u003ccode\u003eaiohttp\u003c/code\u003e to the internal destination specified by the crafted URL.\u003c/li\u003e\n\u003cli\u003eThe internal service (e.g., cloud metadata service or a local web server) processes the request and returns its sensitive response body.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eflyto-core\u003c/code\u003e receives the internal service's response and, as part of the \u003ccode\u003ehttp.get\u003c/code\u003e module's functionality, returns the full response body to the attacker in the \u003ccode\u003e/v1/execute\u003c/code\u003e API response.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates sensitive data, such as IAM credentials or internal service information, via a read Server-Side Request Forgery.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an authenticated workflow author to bypass \u003ccode\u003eflyto-core\u003c/code\u003e's security controls and perform read Server-Side Request Forgery (SSRF). This directly enables data exfiltration from internal services that are typically isolated from external access. Specifically, attackers can access cloud instance metadata services (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e) to steal highly sensitive IAM credentials and instance identity information. Additionally, the bypass permits access to internal loopback and RFC 1918 services, potentially exposing other sensitive internal applications or data. The success of this attack directly undermines the intended security model of \u003ccode\u003eflyto-core\u003c/code\u003e, which explicitly documents these checks as critical security controls. While the source does not provide victim numbers, any organization using \u003ccode\u003eflyto-core\u003c/code\u003e is susceptible, especially those deployed in cloud environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the patch provided by flytohub, which modifies \u003ccode\u003esrc/core/utils.py\u003c/code\u003e to correctly identify and block private IP addresses embedded within IPv6 transition forms, as demonstrated in the \u0026quot;Suggested fix\u0026quot; section of this brief.\u003c/li\u003e\n\u003cli\u003eReview all \u003ccode\u003eflyto-core\u003c/code\u003e deployments, especially those in cloud environments, to ensure proper network segmentation and defense-in-depth measures limit the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor network egress logs for connections originating from \u003ccode\u003eflyto-core\u003c/code\u003e instances to unusual or internal-only IPv6 addresses, particularly those resembling the IPv4-mapped \u003ccode\u003e::ffff:169.254.169.254\u003c/code\u003e, NAT64 \u003ccode\u003e64:ff9b::/96\u003c/code\u003e, or 6to4 \u003ccode\u003e2002::/16\u003c/code\u003e prefixes.\u003c/li\u003e\n\u003cli\u003eEnsure that cloud metadata services and other sensitive internal endpoints are configured with least privilege access and minimal exposed information, assuming they might eventually be accessed by an SSRF attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:36:55Z","date_published":"2026-07-06T17:36:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-flyto-core-ssrf-bypass/","summary":"An authenticated workflow author can bypass `flyto-core`'s Server-Side Request Forgery (SSRF) protection by crafting URLs with IPv6 transition addresses that embed private IPv4s, allowing for data exfiltration from internal services like cloud instance metadata.","title":"flyto-core SSRF Bypass via IPv6 Transition Addresses (CWE-918)","url":"https://feed.craftedsignal.io/briefs/2026-07-flyto-core-ssrf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Flytohub","version":"https://jsonfeed.org/version/1.1"}