Open-WebSearch Non-Blind Server-Side Request Forgery Vulnerability

A non-blind server-side request forgery (SSRF) vulnerability has been identified in Open-WebSearch versions prior to 2.1.7. The issue arises in the 'isPublicHttpUrl' and 'assertPublicHttpUrl' functions within 'src/utils/urlSafety.ts', which fail to properly handle bracketed IPv6 literals and do not resolve DNS. This combination allows attackers to send requests to internal services or metadata endpoints, with the response body returned to the caller.

Impact

Exploitation of this vulnerability allows cross-tenant SSRF with full response body access, fetching arbitrary private-network URLs and receiving the response body. This includes access to AWS EC2 metadata, internal dashboards, loopback services, and RFC1918 neighbors. The vulnerability is pre-authentication when the 'enableHttpServer' option is set, as there is no authentication on the '/mcp' or '/sse' endpoints. Additionally, the vulnerability can be exploited through DNS rebinding attacks or via the command line, bypassing the HTTP server entirely.

Reproduction

The vulnerability can be reproduced by starting the Open-WebSearch MCP HTTP server with the default settings, which include no authentication and CORS enabled for all origins. After the server is running, a request can be made to the '/mcp' endpoint using the 'fetchWebContent' tool, with a URL that includes a bracketed IPv6 literal pointing to a private address, such as 'http://[::ffff:7f00:1]:<port>/' where '<port>' is the port the canary server is listening on. The response will include the canary's internal secret, demonstrating that the SSRF vulnerability has been successfully exploited.

Remediation

Users are advised to update Open-WebSearch to version 2.1.7 or later, where this vulnerability has been patched.