CVE-2026-42260: open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller:

1. Bracketed IPv6 literals are never recognized. Node’s WHATWG URL.hostname keeps the surrounding […] for IPv6 literals. isIP("[::1]") returns 0 (not 6), so neither isPrivateIpv4 nor isPrivateIpv6 is ever called on an IPv6 literal input — including [::1] itself, and including every IPv4-mapped form such as [::ffff:7f00:1] (= 127.0.0.1 via the IPv4 stack).
2. No DNS resolution. isPrivateOrLocalHostname only inspects the literal hostname string. It never resolves the host to an IP. Any attacker-controlled hostname whose DNS record points at 127.0.0.1 (or any RFC1918 / link-local address) passes the check unchanged, and axios then performs its own resolution and connects to the private address.

The isPrivateIpv6 implementation also has the hex bypass (it would miss ::ffff:7f00:1 even if reached) but defect (1) makes every bracketed IPv6 literal slip past before that branch is even entered.

The fetchWebContent tool returns the response body (JSON.stringify(result)) to the MCP caller, so the SSRF is non-blind.