{"data":{"id":"089976f6-1d3e-4508-b308-67789df5c076","title":"GHSA-mrvx-jmjw-vggc:  SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`","summary":"The `web_url_read` tool in mcp-searxng has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems). The vulnerability exists because the code checks if a hostname looks private by comparing text strings, but it doesn't actually resolve the hostname using DNS (the system that translates domain names to IP addresses). An attacker can use a domain that resolves to an internal IP address to bypass this check and access sensitive data from internal services.","solution":"The source recommends modifying `src/url-reader.ts` to perform DNS resolution inside the `assertUrlAllowed()` function before fetching. Specifically: import `lookup` from `node:dns/promises`, make `assertUrlAllowed()` async, and add code to resolve the hostname and check if any of the resolved IP addresses are private before allowing the request. All calls to `assertUrlAllowed()` must be updated to `await` the now-async function.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-mrvx-jmjw-vggc","publishedAt":"2026-06-19T21:42:46.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":["mcp-searxng@< 1.7.1 (fixed: 1.7.1)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["SearXNG MCP Server","mcp-searxng"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-06-19T21:42:46.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}