CVE-2026-45366

Name of the Vulnerable Software and Affected Versions @utcp/http versions prior to 1.1.2

Description The @utcp/http package is subject to a blind Server-Side Request Forgery (SSRF), a flaw where an attacker can force the server to make requests to an unintended location. This is caused by a trust-boundary inconsistency between manual discovery and tool invocation. While the registerManual() function validates the discovery URL against an HTTPS or loopback allowlist, the callTool() function reuses the resolved toolCallTemplate.url without revalidation. Additionally, the OpenApiConverter trusts the servers[0].url declared in an attacker-hosted specification. An attacker hosting a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare internal URLs, such as http://127.0.0.1:9090 or http://169.254.169.254, leading the converter to produce tools that point to internal services on the agent host. A prefix-bypass also existed where the startsWith('http://localhost') guard allowed URLs like http://localhost.evil.com to pass. This can allow attackers to map internal networks, read cloud metadata credentials, or reach unauthenticated internal services.

Recommendations Update to version 1.1.2. Refuse to call registerManual() with any URL controlled by an untrusted party, even over HTTPS. Restrict outbound network access from the host running the agent to ensure internal addresses (RFC1918, 169.254.0.0/16, loopback) are unreachable.