@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
- Severity:
- Medium
Description
The @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares.
Recommendation
Update the @utcp/http package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.1.1
- Patched version(s): 1.1.2
References
Related Issues
- i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
- PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled - Vulnerability
- i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690
- Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration - CVE-2026-45715
You might also like:
- Tags:
- npm
- @utcp/http
Anything's wrong? Let us know Last updated on May 14, 2026