VulnWatch VulnWatch
← Back to dashboard
Medium github · GHSA-r8j5-8747-88cm

@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Published May 14, 2026 CVSS 4.7

Summary

The @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the converter then produces tools whose URL points at internal services on the agent host.

A separate prefix-bypass also affected the discovery-time check: the previous startsWith('http://localhost') guard let URLs like http://localhost.evil.com through.

Sister advisory

This is the npm/TypeScript counterpart of GHSA-39j6-4867-gg4w / CVE-2026-44661 on the Python utcp-http package. Same vulnerability, same fix shape, same reporter.

Versions and patch state

  • `@utcp/http
Prompt Injection SSRF

Affected AI Products

prompt injection llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.