Skip to content
Verified auth-fetch-mcp SSRF via IPv4-mapped IPv6 loopback bypass
REPRO-2026-00205 ymw0407/auth-fetch-mcp · npm SSRF Jul 2, 2026 .txt
Severity HIGH
Confidence HIGH
Reproduced in 17m 11s
Tool calls 166
Spend $2.60
Affected <= 3.0.1
Fixed in 3.0.2
$ pruva-verify REPRO-2026-00205
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00205/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Target repo: https://github.com/ymw0407/auth-fetch-mcp. Vulnerable package: auth-fetch-mcp (npm). Affected versions: <=3.0.1; fixed in 3.0.2. assertSafeUrl() in src/security.ts calls isPrivateV6() which checks for ::ffff: and then net.isIPv4() on the suffix. The Node.js WHATWG URL parser hex-normalizes ::ffff:127.0.0.1 to ::ffff:7f00:1, so net.isIPv4('7f00:1') returns false and the loopback address bypasses the private-IP guard. Reproduction: install auth-fetch-mcp@3.0.1, run the MCP server with default settings, and invoke the auth_fetch or download_media tool with URL http://[::ffff:127.0.0.1]:/. The server will fetch the loopback URL and return the response, confirming SSRF. The advisory provides a detailed trace through src/tools.ts, src/browser.ts, and src/extractor.ts.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md0.9 KB
bundle/ticket.json1.4 KB
bundle/repro/mcp_client.js6.8 KB
bundle/repro/runtime_manifest.json1.3 KB
bundle/repro/validation_verdict.json0.8 KB
bundle/logs/vulnerable_test.log2.2 KB
bundle/logs/vulnerable_marker.txt0.0 KB
bundle/logs/vulnerable_victim_server.log0.3 KB
bundle/logs/vulnerable_mcp_requests.log0.7 KB
bundle/logs/vulnerable_mcp_stdout.log2.6 KB
bundle/logs/vulnerable_result.json1.0 KB
bundle/logs/fixed_test.log2.0 KB
bundle/logs/fixed_marker.txt0.0 KB
bundle/logs/fixed_victim_server.log0.2 KB
bundle/logs/fixed_mcp_requests.log0.7 KB
bundle/logs/fixed_mcp_stdout.log2.7 KB
bundle/logs/fixed_result.json0.8 KB
bundle/logs/reproduction_steps.log7.3 KB
bundle/logs/mcp-home-vulnerable/.auth-fetch-mcp/downloads/2026-07-02T18-06-43/file-1.bin0.0 KB
bundle/logs/vuln_variant/probe_guard.log3.5 KB
bundle/logs/vuln_variant/routing_test.log1.6 KB
bundle/logs/vuln_variant/routing_test.json1.8 KB
bundle/logs/vuln_variant/redirect_tier1.log0.6 KB
bundle/logs/vuln_variant/redirect_tier1.json0.7 KB
bundle/logs/vuln_variant/fixed_variant_test.log1.5 KB
bundle/logs/vuln_variant/fixed-variant_marker.txt0.0 KB
bundle/logs/vuln_variant/mcp-home-vuln-variant/.auth-fetch-mcp/downloads/2026-07-02T18-15-57/file-1.bin0.0 KB
bundle/logs/vuln_variant/fixed_variant_result.json1.5 KB
bundle/logs/vuln_variant/main_variant_test.log1.5 KB
bundle/logs/vuln_variant/main-variant_marker.txt0.0 KB
bundle/logs/vuln_variant/main-variant_victim_server.log0.9 KB
bundle/logs/vuln_variant/main-variant_mcp_requests.log2.2 KB
bundle/logs/vuln_variant/main_variant_result.json1.5 KB
bundle/logs/vuln_variant/vuln_variant_test.log1.5 KB
bundle/logs/vuln_variant/vuln-variant_marker.txt0.0 KB
bundle/logs/vuln_variant/vuln-variant_victim_server.log0.9 KB
bundle/logs/vuln_variant/vuln-variant_mcp_requests.log2.2 KB
bundle/logs/vuln_variant/vuln_variant_result.json1.5 KB
bundle/logs/vuln_variant/fixed-variant_victim_server.log0.9 KB
bundle/logs/vuln_variant/fixed-variant_mcp_requests.log2.2 KB
bundle/logs/vuln_variant/reproduction_steps.log7.5 KB
bundle/logs/vuln_variant/vuln-variant_variant_test.log1.5 KB
bundle/logs/vuln_variant/vuln-variant_variant_result.json1.5 KB
bundle/logs/vuln_variant/fixed-variant_variant_test.log1.5 KB
bundle/logs/vuln_variant/fixed-variant_variant_result.json1.5 KB
bundle/logs/vuln_variant/main-variant_variant_test.log1.5 KB
bundle/logs/vuln_variant/main-variant_variant_result.json1.5 KB
bundle/logs/vuln_variant/final_run.log7.5 KB
bundle/logs/vuln_variant/mcp-home-fixed-variant/.auth-fetch-mcp/downloads/2026-07-02T18-15-59/file-1.bin0.0 KB
bundle/logs/vuln_variant/mcp-home-main-variant/.auth-fetch-mcp/downloads/2026-07-02T18-16-02/file-1.bin0.0 KB
bundle/vuln_variant/probe_guard.js4.9 KB
bundle/vuln_variant/probe_routing.js3.0 KB
bundle/vuln_variant/redirect_tier1.js3.6 KB
bundle/vuln_variant/variant_mcp_client.js8.7 KB
bundle/vuln_variant/runtime_manifest.json1.5 KB
bundle/vuln_variant/patch_analysis.md8.6 KB
bundle/vuln_variant/variant_manifest.json5.5 KB
bundle/vuln_variant/validation_verdict.json4.3 KB
bundle/vuln_variant/source_identity.json2.8 KB
bundle/vuln_variant/root_cause_equivalence.json4.6 KB
bundle/repro/reproduction_steps.sh12.0 KB
bundle/repro/rca_report.md10.3 KB
bundle/vuln_variant/reproduction_steps.sh10.3 KB
bundle/vuln_variant/rca_report.md12.8 KB