FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NAgentfront Frontmcp
APPAgentfront< 1.0.4Agentfront \@frontmcp\/adapters
APPAgentfront< 1.0.4Agentfront \@frontmcp\/sdk
APPAgentfront< 1.0.4Frontmcp Mcp From Openapi
APPFrontmcp< 2.3.0
Related vulnerabilities
Ucieczka z sandboxa i RCE w Agentfront Enclave (przed wersjΔ 2.11.1)
Ucieczka z sandbox w Agentfront Enclave β RCE w Εrodowisku Node.js
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existin...