DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39885: CVE-2026-39885: Server-Side Request Forgery and Local File Inclusion in FrontMCP mcp-from-openapi

#security #cve #cybersecurity

CVE-2026-39885: Server-Side Request Forgery and Local File Inclusion in FrontMCP mcp-from-openapi

Vulnerability ID: CVE-2026-39885
CVSS Score: 7.5
Published: 2026-04-08

A high-severity vulnerability exists in the mcp-from-openapi library of the FrontMCP framework. Versions prior to 2.3.0 fail to restrict protocol schemes and network destinations when dereferencing OpenAPI $ref pointers. This flaw allows unauthenticated Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI), enabling attackers to access internal network services, cloud metadata endpoints, and arbitrary local files.

TL;DR

FrontMCP (< 2.3.0) blindly resolves OpenAPI $ref pointers using @apidevtools/json-schema-ref-parser, resulting in high-impact SSRF and LFI vulnerabilities via unrestricted http:// and file:// protocols.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-918 (Server-Side Request Forgery)
  • Attack Vector: Network
  • CVSS Base Score: 7.5 (High)
  • Impact: High Confidentiality, Local File Inclusion
  • Exploit Status: Proof of Concept (PoC)
  • KEV Status: Not Listed

Affected Systems

  • FrontMCP Framework
  • mcp-from-openapi Library
  • @frontmcp/sdk
  • @frontmcp/adapters
  • mcp-from-openapi: < 2.3.0 (Fixed in: 2.3.0)
  • frontmcp: < 1.0.4 (Fixed in: 1.0.4)
  • @frontmcp/sdk: < 1.0.4 (Fixed in: 1.0.4)
  • @frontmcp/adapters: < 1.0.4 (Fixed in: 1.0.4)

Code Analysis

Commit: b69f4d8

Fix: Implement custom resolver for json-schema-ref-parser to block SSRF and LFI via explicit IP/protocol filtering.

Commit: c13e765

Chore: Bump package versions to 1.0.4 and dependencies to mcp-from-openapi 2.3.0.

Exploit Details

  • GitHub Security Advisory: Functional Proof of Concept script demonstrating the SSRF vulnerability using a local Node.js HTTP server.

Mitigation Strategies

  • Upgrade mcp-from-openapi to 2.3.0 and frontmcp framework to 1.0.4.
  • Implement strict allowlist configurations via the refResolution loadOptions setting.
  • Enforce IMDSv2 on AWS EC2 instances to prevent simple GET-based SSRF metadata exfiltration.
  • Apply strict egress network rules (NetworkPolicies/Security Groups) to prevent the application from communicating with internal network ranges.

Remediation Steps:

  1. Audit project dependencies to identify usage of vulnerable frontmcp or mcp-from-openapi packages.
  2. Execute npm update frontmcp @frontmcp/sdk @frontmcp/adapters mcp-from-openapi to pull the latest versions.
  3. Modify initialization logic to pass an explicit allowedHosts array to the refResolution configuration block.
  4. Verify the application runs in a restrictive filesystem environment (e.g., read-only root filesystem in Docker) to minimize LFI impact.
  5. Deploy testing suites to assert that OpenAPI schemas referencing internal IPs or local files are rejected by the updated library.

References

Read the full report for CVE-2026-39885 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)