Ylchen-007In

**Name of the Vulnerable Software and Affected Versions** python-utcp versions prior to 1.1.3 **Description** The `utcp-http` plugin is subject to a blind Server-Side Request Forgery (SSRF), a flaw where an attacker can induce the server to make requests to an unintended location. This occurs due to a trust-boundary inconsistency between manual discovery and tool invocation. While the `register manual()` function validates the discovery URL against an HTTPS or loopback allowlist, the `call tool()` and `call tool streaming()` functions reuse the resolved `tool call template.url` without revalidation. Additionally, the OpenAPI converter trusts the `servers[0].url` declared in an attacker-hosted specification. An attacker hosting a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare internal addresses, such as `http://127.0.0.1:9090` or `http://169.254.169.254`, causing the converter to produce tools that point to internal services on the agent host. This gap affects the `utcp http.http`, `utcp http.streamable http`, and `utcp http.sse` protocols. A separate prefix-bypass existed where a check using `startswith("http://localhost")` allowed URLs like `http://localhost.evil.com` to pass. **Recommendations** Update to version 1.1.3. Refuse to call `register manual()` with any URL controlled by an untrusted party, even over HTTPS. Restrict outbound network access from the host running the agent to ensure internal addresses, such as RFC1918, 169.254.0.0/16, and loopback for cloud metadata, are unreachable.