Home

Description

FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-08 | Updated 2026-04-09 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 1.0.4
affected

< 1.0.4
affected

< 1.0.4
affected

< 2.3.0
affected

References

github.com/...ontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj exploit

github.com/...ontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj

github.com/agentfront/frontmcp/releases/tag/v1.0.4

cve.org (CVE-2026-39885)

nvd.nist.gov (CVE-2026-39885)

Download JSON