GHSA-mrvx-jmjw-vggc: SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
Summary
The `web_url_read` tool in mcp-searxng has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems). The vulnerability exists because the code checks if a hostname looks private by comparing text strings, but it doesn't actually resolve the hostname using DNS (the system that translates domain names to IP addresses). An attacker can use a domain that resolves to an internal IP address to bypass this check and access sensitive data from internal services.
Solution / Mitigation
The source recommends modifying `src/url-reader.ts` to perform DNS resolution inside the `assertUrlAllowed()` function before fetching. Specifically: import `lookup` from `node:dns/promises`, make `assertUrlAllowed()` async, and add code to resolve the hostname and check if any of the resolved IP addresses are private before allowing the request. All calls to `assertUrlAllowed()` must be updated to `await` the now-async function.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-mrvx-jmjw-vggc
First tracked: June 19, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%