The vulnerability in typescript-utcp allows a blind server-side request forgery (SSRF) when an attacker controls the servers[0].url field in an OpenAPI specification that the application consumes. During manual discovery, registerManual() validates that discovery URLs are HTTPS and loopback, but callTool() bypasses this check and uses the resolved toolCallTemplate.url directly. The OpenApiConverter trusts any URL listed, so an attacker hosting a malicious OpenAPI spec on a legitimate HTTPS endpoint can point servers[0].url to internal addresses such as 127.0.0.1:9090 or 169.254.169.254. The resulting request originates from the agent host, providing the attacker access to internal services or metadata without external network access. The flaw effectively grants an attacker control over outbound HTTP requests from the application.

Affected systems include the universal-tool-calling-protocol’s typescript-utcp library, specifically any deployment that uses @utcp/http before version 1.1.2. The vulnerability exists in all versions prior to 1.1.2, and the issue is fixed in version 1.1.2 and later.

The CVSS score of 4.7 indicates moderate severity, and the EPSS score is currently unavailable, but the lack of listing in the CISA KEV catalog suggests the exploit has not yet been observed in the wild. Still, the vulnerability can be exercised by any entity that can supply a malicious OpenAPI definition to the application, which is typically reachable over the network. Based on the description, it is inferred that the attack vector is network-facilitated, requiring the attacker to host a malicious spec on a HTTPS endpoint that the application trusts. The risk depends on the exposure of the application to externally supplied OpenAPI specs and its outbound network configuration, as a successful exploitation would allow the attacker to obtain data from or pivot to internal services.