Imagine this. You're a developer building AI-powered tools. You discover mcp-from-openapi, a neat npm package that takes any OpenAPI spec and spins up an MCP server automatically. You feed it your API definition, and suddenly your AI agent can call your endpoints. Magic.
Now imagine someone sends you an OpenAPI spec. Maybe it's a partner integration. Maybe it's a public API you found online. You load it into the tool. Everything looks normal. But buried inside that YAML file is a single line that just emptied your cloud credentials onto an attacker's server.
This is the story of CVE-2026-39885 — a vulnerability I reported through GHSA-v6ph-xcq9-qxxj.
The Setup: What Is FrontMCP?
FrontMCP is an open-source toolkit that bridges OpenAPI specifications and the Model Context Protocol (MCP). At its core, the mcp-from-openapi package takes any Swagger/OpenAPI definition and generates an MCP server that exposes those API endpoints as tools for AI agents to call. The @frontmcp/adapters and @frontmcp/sdk packages build on top of it.
If you're building AI agents that interact with APIs, this is exactly the kind of tool you'd reach for. It saves you from writing boilerplate MCP tool definitions by hand.
The problem wasn't in the MCP layer. It was in how the package parsed OpenAPI specs.
The Vulnerability: A Trusted Parser, Unconfigured
OpenAPI specs support something called $ref — JSON references that point to other parts of the document, or to external files. This is a standard feature. It keeps large API definitions clean and modular.
Under the hood, mcp-from-openapi uses a library called @apidevtools/json-schema-ref-parser to resolve these references. This library is powerful. It can follow $ref pointers to local files, HTTP URLs, even internal network addresses.
Here's the catch: the library was called with zero restrictions.
// The vulnerable pattern (simplified)
const $RefParser = require('@apidevtools/json-schema-ref-parser');
// No URL allowlist. No protocol restrictions. No custom resolvers.
const api = await $RefParser.dereference(openapiSpec);
No options passed. No URL allowlist. No protocol filtering. The ref parser was handed the keys to the network and told "fetch whatever you want."
The Attack: Three Lines That Steal Your Identity
An attacker crafts a malicious OpenAPI spec. It looks perfectly normal — paths, schemas, responses, all standard stuff. Except one schema has a $ref that doesn't point to another part of the document.
Stealing AWS Credentials
If the package runs on an EC2 instance, ECS task, or Lambda function, the cloud metadata service is reachable at a well-known IP address. The attacker adds a reference that points straight to it:
components:
schemas:
UserProfile:
$ref: "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
When the ref parser encounters this, it dutifully makes an HTTP request to the AWS Instance Metadata Service (IMDS). The response? Temporary IAM credentials — Access Key, Secret Key, Session Token. Everything an attacker needs to assume that role.
The parser doesn't know it just fetched cloud credentials. It tries to interpret the response as a JSON schema, probably fails silently or throws a parse error — but the HTTP request already happened. If the attacker points to a server they control as a middle hop, the data is exfiltrated.
$ref, one HTTP call, and the attacker has your IAM role's temporary credentials. Even with IMDSv2, if the token was already fetched by a process on the same instance, the metadata service is still reachable.
Reading Local Files
It's not just network calls. The ref parser also supports the file:// protocol:
components:
schemas:
Config:
$ref: "file:///etc/passwd"
PrivateKey:
$ref: "file:///home/app/.ssh/id_rsa"
EnvSecrets:
$ref: "file:///proc/self/environ"
SSH keys, environment variables (which often hold API tokens and database passwords), configuration files — all readable. The parser fetches the file contents and tries to use them as a JSON schema. The data passes through the application.
Scanning Internal Networks
The third attack vector is reconnaissance. An attacker probes internal services by referencing internal IPs and ports:
components:
schemas:
Probe1:
$ref: "http://10.0.0.1:6379/"
Probe2:
$ref: "http://10.0.0.1:5432/"
Probe3:
$ref: "http://10.0.0.1:9200/"
Connection refused? That port is closed. Timeout? Probably firewalled. Got a response? There's a Redis, Postgres, or Elasticsearch instance at that address. The attacker just mapped your internal network topology without ever touching it directly.
The Blast Radius
This wasn't just one package. The vulnerability affected three npm packages:
mcp-from-openapi— versions ≤ 2.1.2@frontmcp/adapters— versions ≤ 1.0.3@frontmcp/sdk— versions ≤ 1.0.3
And here's the uncomfortable part: no authentication is required to exploit this. The attacker doesn't need access to your server. They just need you to load their OpenAPI spec. That's it. The attack vector is the spec itself.
Think about how OpenAPI specs travel: shared in Slack, downloaded from public repos, fetched from URLs during CI/CD, pulled from API marketplaces. The supply chain surface is massive.
The Fix
The remediation is straightforward. The ref parser supports resolver options that were simply never configured:
const api = await $RefParser.dereference(openapiSpec, {
resolve: {
file: false, // Block file:// entirely
http: {
headers: {},
timeout: 5000,
// Only allow refs to explicitly trusted hosts
canRead: (file) => {
const url = new URL(file.url);
return allowedHosts.includes(url.hostname);
}
}
}
});
Disable file:// protocol. Restrict HTTP resolution to an explicit allowlist of trusted hosts. Or, if you don't need external refs at all, disable all external resolution entirely.
The patched versions:
mcp-from-openapi≥ 2.3.0@frontmcp/adapters≥ 1.0.4@frontmcp/sdk≥ 1.0.4
The Bigger Lesson
This CVE is a textbook example of something I see constantly in security: a powerful library used with its default (permissive) configuration.
The ref parser isn't broken. It did exactly what it was designed to do — resolve references from any source. The vulnerability was in the consumer code that called it without thinking about what "any source" really means when you're processing untrusted input.
This pattern shows up everywhere:
- XML parsers with external entity resolution enabled by default (XXE)
- Template engines with unrestricted object access (SSTI)
- YAML parsers that execute arbitrary code during deserialization
- And now, JSON schema ref parsers that fetch from arbitrary URLs (SSRF)
The story is always the same: a developer finds a library that solves their problem, calls the happy-path function, and ships it. The library's security-relevant configuration options — the ones buried three pages deep in the docs — never get set.
For Developers Building MCP Tools
The MCP ecosystem is exploding right now. New tools are being published daily. If you're building MCP servers that accept external input — OpenAPI specs, JSON schemas, configuration files — treat that input as hostile.
- Audit your parsers. What can they fetch? What protocols do they support? Can they reach internal networks?
- Restrict by default. Disable file:// and limit HTTP to an explicit allowlist. If you don't need external resolution, turn it off.
- Enforce IMDSv2. On AWS, require IMDSv2 with hop limit of 1. This makes metadata credential theft significantly harder (though not impossible from the instance itself).
- Network segmentation. Run untrusted parsing in isolated environments that can't reach internal services or metadata endpoints.
Final Thought
The scariest vulnerabilities aren't the ones that require a complex exploit chain. They're the ones where the attacker just hands you a file, and you do all the work for them.
A single $ref. A single HTTP request you never intended to make. And suddenly, your cloud credentials are someone else's.
Patch your dependencies. Audit your parsers. And never trust a spec you didn't write.
Full advisory: GHSA-v6ph-xcq9-qxxj | Patch: FrontMCP v1.0.4