FrontMCP Server-Side Request Forgery Vulnerability via Untrusted OpenAPI Specifications

A Server-Side Request Forgery (SSRF) vulnerability has been identified in FrontMCP versions prior to 2.3.0. The issue arises in the 'mcp-from-openapi' library, which dereferences '$ref' pointers in OpenAPI specifications using '@apidevtools/json-schema-ref-parser'. This process, lacking proper URL restrictions or custom resolvers, can be exploited by a malicious OpenAPI specification that directs '$ref' values to internal network addresses, cloud metadata endpoints, or local files. During the 'initialize()' call', the library fetches these resources, leading to potential SSRF and local file read attacks when handling untrusted OpenAPI specifications.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery (SSRF) attacks, where internal services or cloud metadata endpoints can be accessed and potentially exploited. Additionally, local files can be read from the server's filesystem, creating further security risks.

Reproduction

To reproduce this vulnerability, create a malicious OpenAPI specification that includes '$ref' pointers directed towards internal network addresses, cloud metadata URLs, or local files. When this specification is processed by the 'mcp-from-openapi' library, the referenced resources will be fetched, demonstrating the SSRF or local file read exploitation. This vulnerability can be confirmed by observing the library's 'initialize()' call' fetch the maliciously referenced resource, such as a local file or an internal service URL.

Remediation

Users can upgrade to FrontMCP version 2.3.0 or later, where this vulnerability has been addressed. For those using the 'mcp-from-openapi' library, version 2.3.0 includes the necessary fix. Additionally, when using the library, it's recommended to configure '$ref' resolution options that restrict which protocols and hosts are allowed, or to disable external resolution entirely and require all schemas to be inline.