python-utcp UTCP-HTTP Plugin Blind Server-Side Request Forgery Vulnerability

A blind Server-Side Request Forgery (SSRF) vulnerability has been identified in the python-utcp UTCP-HTTP plugin, affecting versions through 1.1.2. The issue arises from a trust-boundary inconsistency between manual discovery and tool invocation. While the 'register_manual()' function validates discovery URLs against an HTTPS and loopback allowlist, the 'call_tool()' and 'call_tool_streaming()' functions directly reuse the resolved tool call template URL without revalidation. This oversight allows an attacker to host a malicious OpenAPI specification on a legitimate HTTPS endpoint, declaring internal URLs that the OpenAPI converter will blindly trust and use to access internal services on the agent host.

Impact

Exploitation of this vulnerability allows remote attackers to access internal services on the agent host via loopback URLs, or to read cloud metadata credentials from AWS or GCP, depending on the python-utcp version in use.

Remediation

Users should upgrade to python-utcp version 1.1.3 or later. For those unable to upgrade immediately, it is advised to avoid using 'register_manual()' with URLs controlled by untrusted parties, and to restrict outbound network access from the host running the agent to prevent access to internal addresses.