| 제목 | litellm latest Server-Side Request Forgery (SSRF) (CWE-918) |
|---|
| 설명 | # Technical Details
A Server-Side Request Forgery (SSRF) vulnerability exists in the `load_openapi_spec_async` method in `litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py` of litellm.
The application accepts an external `spec_path` URL mapping component for MCP tools loading processes. Waitstates and unvalidated parameter fetching execute a blunt system fetch against the host, breaking boundary restrictions.
# Vulnerable Code
File: `litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py`
Method: `load_openapi_spec_async`
Why: Any user authenticating with standard API keys against `/mcp-rest/test/tools/list` can feed `http://` schema values into `spec_path`. Inside the script, `httpx.get(filepath)` executes resolving the remote schema entirely without domain filtering, rebinding mitigation, or private IP sanitization.
# Reproduction
1. Form an authenticated HTTP POST invocation passing into `/mcp-rest/test/tools/list`.
2. Bind the inner JSON `spec_path` to loopback targeting a local service (e.g. `"spec_path": "http://internal-service:8080/"`) or Cloud Meta Data endpoints (e.g. `x.x.x.x`).
3. Obtain the returned HTTP 200 payload generated containing internal resource reflections.
# Impact
- Broad Access into constrained internal domains, databases, microservices, and port systems directly tied to the application wrapper.
- Immediate exfiltration vectors for Cloud IAM Metadata mapping tokens if deployed adjacent to instances utilizing standard AWS/GCP access frameworks. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/c1104c529975699ba347feedfbe02c5a |
|---|
| 사용자 | Eric-c (UID 96848) |
|---|
| 제출 | 2026. 04. 23. AM 10:08 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 06. 20. PM 07:12 (2 months later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 372560 [BerriAI litellm 까지 1.82.2 MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async spec_path 권한 상승] |
|---|
| 포인트들 | 20 |
|---|