Skip to content

[GHSA-hhfx-wfvq-7g9c] Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network#7151

Closed
vcolin7 wants to merge 1 commit intovcolin7/advisory-improvement-7151from
vcolin7-GHSA-hhfx-wfvq-7g9c
Closed

[GHSA-hhfx-wfvq-7g9c] Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network#7151
vcolin7 wants to merge 1 commit intovcolin7/advisory-improvement-7151from
vcolin7-GHSA-hhfx-wfvq-7g9c

Conversation

@vcolin7
Copy link

@vcolin7 vcolin7 commented Mar 11, 2026

Updates

  • Affected products

Comments
Affected versions of the Azure MCP Server were also published to NPM and PyPI. This update adds details for said package managers.

Copilot AI review requested due to automatic review settings March 11, 2026 23:19
@github-actions github-actions bot changed the base branch from main to vcolin7/advisory-improvement-7151 March 11, 2026 23:20
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GHSA advisory metadata for Azure MCP Server SSRF to include affected versions published via npm and PyPI.

Changes:

  • Adds new affected entries for the npm package @azure/mcp across stable and beta ranges
  • Adds a new affected entry for the PyPI package msmcp-azure
  • Bumps the advisory modified timestamp

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

advisories/github-reviewed/2026/03/GHSA-hhfx-wfvq-7g9c/GHSA-hhfx-wfvq-7g9c.json
Comment on lines +55 to +93
},
{
"package": {
"ecosystem": "npm",
"name": "@azure/mcp"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.0.0-beta.1"
},
{
"fixed": "2.0.0-beta.17"
}
]
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@azure/mcp"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.2"
}
]
}
]
},
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two separate affected entries for the same npm package (@azure/mcp). OSV tooling typically expects a single affected object per package, with multiple version ranges under its ranges array. Consider merging these into one affected entry with both ranges to avoid duplication and reduce the chance of future edits diverging.

Copilot uses AI. Check for mistakes.
advisories/github-reviewed/2026/03/GHSA-hhfx-wfvq-7g9c/GHSA-hhfx-wfvq-7g9c.json
Comment on lines +104 to +107
"introduced": "2.0.0-beta.14"
},
{
"fixed": "2.0.0-beta.17"
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PyPI versions are expected to follow PEP 440 normalization (e.g., beta releases generally use forms like 2.0.0b14, not 2.0.0-beta.14). If these strings don’t match the actual published PyPI versions, affected-version matching may break in downstream consumers. Please update introduced/fixed to the exact PyPI release versions as published for msmcp-azure.

Suggested change
"introduced": "2.0.0-beta.14"
},
{
"fixed": "2.0.0-beta.17"
"introduced": "2.0.0b14"
},
{
"fixed": "2.0.0b17"

Copilot uses AI. Check for mistakes.
@vcolin7 vcolin7 closed this Mar 12, 2026
@github-actions github-actions bot deleted the vcolin7-GHSA-hhfx-wfvq-7g9c branch March 12, 2026 00:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vcolin7