CVE-2026-39885

HIGH

FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications

Title source: cna

Description

FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.

References (2)

[X_Refsource_Confirm] https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj

[X_Refsource_Misc] https://github.com/agentfront/frontmcp/releases/tag/v1.0.4

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 12.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (10)

@frontmcp/adapters < 1.0.4

@frontmcp/sdk < 1.0.4

agentfront/\@frontmcp\/adapters < 1.0.4

agentfront/\@frontmcp\/sdk < 1.0.4

agentfront/frontmcp < 1.0.4 (2 CPE variants)

frontmcp/adapters 0 - 1.0.4npm

frontmcp/mcp-from-openapi < 2.3.0

frontmcp/sdk 0 - 1.0.4npm

npm/mcp-from-openapi 0 - 2.3.0npm

Published Apr 08, 2026

Tracked Since Apr 09, 2026