FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
| Vendor | Product | Versions |
|---|---|---|
| — | mcp-from-openapi | < 1.0.4, < 1.0.4, < 1.0.4, < 2.3.0 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| npm | @frontmcp/sdk | GHSA | 85% |
| npm | @frontmcp/adapters | GHSA | 85% |
Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.
Initial creation
