VDB
KO
MEDIUM 4.3

GHSA-c5r6-m4mr-8q5j

@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization

Details

## Summary

The network domain has a central SSRF authorization policy that blocks private, loopback, link-local, and reserved targets unless an explicit authorization object allows private network access. The policy is enforced by raw HTTP/TCP/TLS RTT tools, but the ICMP probe and traceroute tools resolve the target and invoke the native ICMP/traceroute sink directly.

An MCP client with access to an active network domain can therefore ask the jshookmcp server to probe internal addresses such as 10.0.0.1 even when local SSRF access is disabled for the other raw network tools. This exposes an internal reachability and route mapping primitive from the server network position.

## Affected code

Current main https://github.com/vmoranv/jshookmcp/commit/d309c395738638e384c28c0f599b47b2213ab595 and npm package @jshookmcp/jshook 0.3.1 both contain the issue.

- src/server/domains/network/handlers/raw-latency-handlers.ts:61-66: network_rtt_measure parses optional authorization and calls resolveAuthorizedTransportTarget before probing. - src/server/domains/network/handlers/raw-latency-handlers.ts:185-190: network_latency_stats uses the same authorization guard. - src/server/domains/network/handlers/raw-latency-handlers.ts:123-139: network_traceroute resolves target with resolveHostname and calls traceroute without an authorization policy check. - src/server/domains/network/handlers/raw-latency-handlers.ts:240-257: network_icmp_probe resolves target with resolveHostname and calls icmpProbe without an authorization policy check. - src/server/domains/network/handlers/raw-latency-handlers.ts:408-416: resolveHostname returns IPv4 literals directly and otherwise performs DNS A lookup without checking private, loopback, link-local, or reserved ranges. - src/utils/network/ssrf-policy.ts:244-316: the central policy blocks private targets unless explicit authorization or ALLOW_LOCAL_SSRF=true is set.

## Reproduction

Used a focused regression test against the real handleCallTool and RawHandlers call path with fake native ICMP and policy sinks. The test does not send external traffic. It proves the denied control and the bypass through the same MCP meta-tool dispatch path.

Test file path in my local checkout:

```text tests/server/security/jshookmcp-network-meta-boundary.test.ts ```

Relevant test body:

```ts it('denied control: RTT path consults the SSRF authorization guard for private targets', async () => { const handler = new RawHandlers(); state.resolveAuthorizedTransportTarget.mockRejectedValue(new Error('RTT measurement blocked: target resolves to a private or reserved address.')); await expect(handler.handleNetworkRttMeasure({ url: 'https://10.0.0.1/', probeType: 'tcp' })).rejects.toThrow(/blocked/); expect(state.resolveAuthorizedTransportTarget).toHaveBeenCalled(); expect(state.icmpProbe).not.toHaveBeenCalled(); });

it('bypass proof: call_tool can drive network_icmp_probe to a private IP without the SSRF authorization guard', async () => { const raw = new RawHandlers(); const ctx = { router: { has: vi.fn((name: string) => name === 'network_icmp_probe') }, executeToolWithTracking: vi.fn((name: string, args: Record<string, unknown>) => raw.handleNetworkIcmpProbe(args)), } as any;

const response = await handleCallTool(ctx, { name: 'network_icmp_probe', args: { target: '10.0.0.1', ttl: 64 } }); const body = JSON.parse(response.content[0].text);

expect(body.success).toBe(true); expect(ctx.router.has).toHaveBeenCalledWith('network_icmp_probe'); expect(ctx.executeToolWithTracking).toHaveBeenCalledWith('network_icmp_probe', { target: '10.0.0.1', ttl: 64 }); expect(state.resolveAuthorizedTransportTarget).not.toHaveBeenCalled(); expect(state.icmpProbe).toHaveBeenCalledWith(expect.objectContaining({ target: '10.0.0.1', ttl: 64 })); }); ```

Command run:

```bash corepack pnpm exec vitest run --config vitest.config.ts tests/server/security/jshookmcp-network-meta-boundary.test.ts --reporter=verbose ```

Result:

```text Test Files 1 passed (1) Tests 4 passed (4) ```

The observed vulnerable call sequence is:

```text call_tool(name=network_icmp_probe, args={target: 10.0.0.1, ttl: 64}) -> ctx.router.has(network_icmp_probe) == true -> ctx.executeToolWithTracking(network_icmp_probe, validatedArgs) -> RawHandlers.handleNetworkIcmpProbe(validatedArgs) -> resolveHostname(10.0.0.1) returns 10.0.0.1 -> icmpProbe({ target: 10.0.0.1, ttl: 64, ... }) ```

resolveAuthorizedTransportTarget is not called on this path. The same missing policy pattern exists for network_traceroute.

## Impact

An MCP client with access to the active network domain can use the server as a backend-origin internal network probing oracle. The result can reveal whether internal hosts respond, approximate latency, traceroute hops, and ICMP error classes from the server network position.

The practical impact is strongest when jshookmcp is exposed over Streamable HTTP or another remote transport, multiple clients share one server, or the server runs on Windows or with raw socket capability. This is not code execution and does not by itself exfiltrate response bodies.

## Remediation

Apply the same authorization model used by network_rtt_measure and network_latency_stats to network_icmp_probe and network_traceroute. In particular, accept an optional authorization object, resolve the target through the central policy helper or an equivalent host-only policy helper, block private and reserved ranges by default, and pass only the policy-approved resolved address to the native probe. Add regression tests for default-denied private targets, authorized private CIDR access, private hostnames, and call_tool dispatch.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @jshookmcp/jshook
Introduced in: 0.3.1 Fixed in: 0.3.2
Fix npm install @jshookmcp/jshook@0.3.2

References