<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Flytohub - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/flytohub/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 17:45:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/flytohub/feed.xml" rel="self" type="application/rss+xml"/><item><title>flyto-core Unauthenticated Command Execution via HTTP MCP `execute_module`</title><link>https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/</link><pubDate>Mon, 06 Jul 2026 17:45:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-flyto-core-unauthenticated-rce/</guid><description>flyto-core is vulnerable to unauthenticated command execution via its HTTP MCP endpoint (`POST /mcp`), allowing remote attackers to execute arbitrary OS commands with server privileges by invoking `sandbox.execute_shell` through JSON-RPC requests, potentially leading to full system compromise.</description><content:encoded><![CDATA[<p>flyto-core, an application leveraging FastAPI, is susceptible to an unauthenticated command execution vulnerability. This flaw exists within its HTTP MCP endpoint (<code>POST /mcp</code>), which lacks proper authentication and authorization checks. Discovered on 2026-07-06, the vulnerability allows unauthenticated attackers to send JSON-RPC <code>tools/call</code> requests that are then dispatched to arbitrary internal modules, including <code>sandbox.execute_shell</code>. This specific module executes attacker-controlled input directly via <code>asyncio.create_subprocess_shell</code> with <code>shell=True</code>, bypassing security controls. By default, flyto-core binds to <code>127.0.0.1</code>, making it a high-severity local vulnerability (CVSS 8.4); however, if configured to bind to <code>--host 0.0.0.0</code>, it becomes remotely exploitable, enabling full system compromise with root privileges as demonstrated in dynamic reproductions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker sends an unauthenticated HTTP POST request to the <code>/mcp</code> endpoint of a vulnerable flyto-core server.</li>
<li>The <code>mcp_router</code> (mounted at <code>src/core/api/server.py:75-78</code>) receives the request without requiring authentication.</li>
<li>The <code>mcp_post</code> function (<code>src/core/api/routes/mcp.py:65-66</code>) processes the request body, which is an attacker-controlled JSON-RPC payload.</li>
<li>The <code>handle_jsonrpc_request</code> function (<code>src/core/api/routes/mcp.py:103-104</code>) forwards the JSON-RPC item containing a <code>tools/call</code> method with <code>name: execute_module</code> and <code>module_id: sandbox.execute_shell</code> to the module dispatcher.</li>
<li>The module registry (<code>src/core/mcp_handler.py:180</code>) resolves <code>sandbox.execute_shell</code> and invokes it with attacker-supplied <code>params</code>, including a <code>command</code> argument.</li>
<li>The <code>sandbox.execute_shell</code> module (<code>src/core/modules/atomic/sandbox/execute_shell.py:137-139</code>) extracts the <code>command</code> directly from <code>params</code> without sanitization.</li>
<li>The <code>command</code> is passed to <code>asyncio.create_subprocess_shell</code> with <code>shell=True</code> (<code>src/core/modules/atomic/sandbox/execute_shell.py:163-169</code>).</li>
<li>The flyto-core server process executes the arbitrary OS command supplied by the attacker, with the privileges of the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This unauthenticated command execution vulnerability carries critical impact. Any local process can exploit the vulnerability if <code>flyto serve</code> is running on a workstation, leading to arbitrary file operations, credential exfiltration, or lateral movement. More severely, if <code>flyto-core</code> is exposed externally (e.g., bound to <code>0.0.0.0</code>), unauthenticated remote attackers can achieve full system compromise with <code>root</code> privileges, as confirmed by dynamic reproduction. The vulnerability affects developers and local users running the service, as well as infrastructure operators who expose the API without proper network-level access controls. Consequences include complete host takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect unauthenticated POST requests to <code>/mcp</code>.</li>
<li>Inspect webserver logs for HTTP POST requests to the <code>/mcp</code> URI as an indicator of attempted exploitation.</li>
<li>Patch affected flyto-core instances immediately by applying the recommended code changes from the source, specifically ensuring <code>require_auth</code> dependency for <code>/mcp</code> routes and adding <code>sandbox.*</code> to the <code>_DEFAULT_DENYLIST</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>unauthenticated-rce</category><category>command-injection</category><category>web-application</category><category>ghsa</category><category>linux</category></item><item><title>flyto-core SSRF Bypass via IPv6 Transition Addresses (CWE-918)</title><link>https://feed.craftedsignal.io/briefs/2026-07-flyto-core-ssrf-bypass/</link><pubDate>Mon, 06 Jul 2026 17:36:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-flyto-core-ssrf-bypass/</guid><description>An authenticated workflow author can bypass `flyto-core`'s Server-Side Request Forgery (SSRF) protection by crafting URLs with IPv6 transition addresses that embed private IPv4s, allowing for data exfiltration from internal services like cloud instance metadata.</description><content:encoded><![CDATA[<p>The <code>flyto-core</code> application, developed by flytohub, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CWE-918, in its <code>validate_url_ssrf</code> function, specifically within the <code>is_private_ip</code> helper in <code>src/core/utils.py</code>. This vulnerability, published on 2026-07-06, allows an authenticated workflow author to bypass the intended SSRF protection by utilizing IPv6 transition addresses. The application's guard, designed to block access to private and cloud metadata services, fails to correctly identify private IP addresses embedded within IPv4-mapped, 6to4, or NAT64 IPv6 formats. This oversight enables attackers to craft URLs using these unblocked IPv6 forms to access internal resources like cloud instance metadata services (e.g., <code>169.254.169.254</code>) or internal loopback services. The response body from these internal services is then returned to the attacker, resulting in a read SSRF that can lead to the exfiltration of sensitive information, such as IAM credentials. This bypass directly undermines the project's documented security controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A workflow author, possessing valid authentication credentials for <code>flyto-core</code>'s Execution API (<code>POST /v1/execute</code>), prepares to execute a module.</li>
<li>The attacker crafts a malicious URL containing an IPv6 transition-form host, such as <code>http://[::ffff:127.0.0.1]:8080/</code> for loopback access or <code>http://[64:ff9b::a9fe:a9fe]/latest/meta-data/</code> for cloud instance metadata.</li>
<li>The attacker sends a <code>POST</code> request to <code>http://127.0.0.1:8333/v1/execute</code> with a JSON payload including <code>{&quot;module_id&quot;:&quot;http.get&quot;, &quot;params&quot;:{&quot;url&quot;:&quot;[malicious_url]&quot;}}</code>.</li>
<li>The <code>flyto-core</code> application invokes <code>validate_url_ssrf</code>, which calls <code>is_private_ip()</code> on the IPv6 transition address. Due to the vulnerability, <code>is_private_ip()</code> incorrectly returns <code>False</code>.</li>
<li>The <code>http.get</code> atomic module proceeds to initiate an outbound HTTP GET request using <code>aiohttp</code> to the internal destination specified by the crafted URL.</li>
<li>The internal service (e.g., cloud metadata service or a local web server) processes the request and returns its sensitive response body.</li>
<li><code>flyto-core</code> receives the internal service's response and, as part of the <code>http.get</code> module's functionality, returns the full response body to the attacker in the <code>/v1/execute</code> API response.</li>
<li>The attacker successfully exfiltrates sensitive data, such as IAM credentials or internal service information, via a read Server-Side Request Forgery.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows an authenticated workflow author to bypass <code>flyto-core</code>'s security controls and perform read Server-Side Request Forgery (SSRF). This directly enables data exfiltration from internal services that are typically isolated from external access. Specifically, attackers can access cloud instance metadata services (e.g., <code>169.254.169.254</code>) to steal highly sensitive IAM credentials and instance identity information. Additionally, the bypass permits access to internal loopback and RFC 1918 services, potentially exposing other sensitive internal applications or data. The success of this attack directly undermines the intended security model of <code>flyto-core</code>, which explicitly documents these checks as critical security controls. While the source does not provide victim numbers, any organization using <code>flyto-core</code> is susceptible, especially those deployed in cloud environments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply the patch provided by flytohub, which modifies <code>src/core/utils.py</code> to correctly identify and block private IP addresses embedded within IPv6 transition forms, as demonstrated in the &quot;Suggested fix&quot; section of this brief.</li>
<li>Review all <code>flyto-core</code> deployments, especially those in cloud environments, to ensure proper network segmentation and defense-in-depth measures limit the impact of potential SSRF vulnerabilities.</li>
<li>Monitor network egress logs for connections originating from <code>flyto-core</code> instances to unusual or internal-only IPv6 addresses, particularly those resembling the IPv4-mapped <code>::ffff:169.254.169.254</code>, NAT64 <code>64:ff9b::/96</code>, or 6to4 <code>2002::/16</code> prefixes.</li>
<li>Ensure that cloud metadata services and other sensitive internal endpoints are configured with least privilege access and minimal exposed information, assuming they might eventually be accessed by an SSRF attack.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>vulnerability</category><category>python</category><category>defense-evasion</category></item></channel></rss>