CVE-2025-11286

Summary

A vulnerability was determined in samanhappy MCPHub up to 0.9.10. This affects an unknown part of the file src/controllers/serverController.ts of the component MCPRouter Service. This manipulation of the argument baseUrl causes server-side request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
samanhappyMCPHub0.9.0affected
samanhappyMCPHub0.9.1affected
samanhappyMCPHub0.9.2affected
samanhappyMCPHub0.9.3affected
samanhappyMCPHub0.9.4affected
samanhappyMCPHub0.9.5affected
samanhappyMCPHub0.9.6affected
samanhappyMCPHub0.9.7affected
samanhappyMCPHub0.9.8affected
samanhappyMCPHub0.9.9affected
samanhappyMCPHub0.9.10affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References