VDB
KO
MEDIUM 5.7

GHSA-g84h-j7jj-x32p

@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)

Details

### Summary A known vulnerability CVE-2026-33060 indicated tools including ckan_package_search and sparql_query that accept a base_url parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a method to bypass exists.

### Details CKAN MCP Server validates caller-supplied CKAN server URLs by inspecting only the parsed hostname string before issuing outbound HTTP requests. In `src/utils/http.ts`, hostname aliases such as `ip6-localhost` are not equal to `localhost`, are not dotted IPv4 literals, and are not bracketed IPv6 literals, so they pass the SSRF filter but can resolve to loopback when the server performs the request. A remote MCP caller that can invoke CKAN tools with a `server_url` can therefore make the server connect to local or private addresses and, for CKAN-shaped responses, receive response-derived data.

### Fix Replaced the single `hostname === 'localhost'` check with a blocked-hostname `Set` covering `ip6-localhost` and `ip6-loopback`. Patched in commit `c761045a1b7c5f40d2626540dd2ef1d4feb91f8c`.

--- @aborruso/ckan-mcp-server thanks **hibrian827** for responsibly disclosing this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @aborruso/ckan-mcp-server
Introduced in: 0 Fixed in: 0.4.106
Fix npm install @aborruso/ckan-mcp-server@0.4.106

References