CVE-2026-39885

Name of the Vulnerable Software and Affected Versions: FrontMCP versions prior to 2.3.0

Description: The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without URL restrictions. A malicious OpenAPI specification with $ref values pointing to internal network addresses, cloud metadata endpoints, or local files can cause the library to fetch these resources during the initialize() call, leading to Server-Side Request Forgery (SSRF) and local file read attacks. The initialize() function is vulnerable. The library fetches any URL encountered in $ref values, including http:// and https:// URLs (potentially exposing internal services or cloud metadata) and file:// URLs (allowing local filesystem access). An attacker can exploit this by crafting an OpenAPI specification containing a $ref to a cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/) to potentially leak cloud credentials, or a $ref to a local file (e.g., file:///etc/passwd) to read arbitrary files. The impact includes cloud credential theft, internal network scanning, and local file read, requiring no special privileges beyond providing a crafted OpenAPI specification.

Recommendations: Pass resolver options to dereference() to restrict allowed protocols and hosts, such as disabling the file:// protocol and limiting http:// and https:// access. Alternatively, disable all external resolution by setting resolve: { file: false, http: false, https: false }.