fix: Restrict MCP HTTP transport to localhost, add origin validation#1
Open
taylorodell wants to merge 1 commit into
Open
fix: Restrict MCP HTTP transport to localhost, add origin validation#1taylorodell wants to merge 1 commit into
taylorodell wants to merge 1 commit into
Conversation
…dcard CORS - Change default bind address from 0.0.0.0 to 127.0.0.1 for both serve (Streamable HTTP) and start (SSE) commands - Remove Access-Control-Allow-Origin: * wildcard CORS header - Replace with origin validation middleware that only sets CORS headers for explicitly allowed origins via --allowed-origins flag - Add --host CLI flag to both commands for users who need network access - Add --allowed-origins flag to serve command for cross-origin clients - Log a warning when --host 0.0.0.0 is used explicitly - Update DOCKER.md examples to use --host 0.0.0.0 (required inside containers) and recommend -p 127.0.0.1:2718:2718 for localhost-only port exposure - Add Security Considerations section to DOCKER.md Without these changes, the MCP server is vulnerable to DNS rebinding attacks: a malicious webpage can use DNS rebinding to make cross-origin requests to the locally-running server, gaining full access to all MCP tools with the victim's Cloudinary API credentials. The wildcard CORS policy (ACAO: *) further enables direct cross-origin exploitation from any webpage without DNS rebinding. Precedent: HackerOne #2len resolved (Burp Suite MCP DNS rebinding).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a security vulnerability where both the Streamable HTTP (
serve) and SSE (start) transports bind to0.0.0.0with wildcard CORS (Access-Control-Allow-Origin: *), exposing the MCP server to DNS rebinding and LAN-based attacks.The Problem
0.0.0.0bind exposes the server to the entire local networkACAO: *allows any webpage to make cross-origin requests to the MCP serverCombined, a user running the server with their API credentials (as shown in DOCKER.md) is vulnerable to credential theft from any browser tab they have open.
Precedent: HackerOne resolved report — "DNS Rebinding SSRF in Burp Suite MCP Server" ($2,000 bounty)
Changes
0.0.0.0to127.0.0.1(bothserveandstartcommands)--hostCLI flag for users who explicitly need network access (e.g., Docker)--allowed-originsflag (serve command) for users who need cross-origin access from known clients--host 0.0.0.0(required inside containers) with-p 127.0.0.1:2718:2718for localhost-only exposure--host 0.0.0.0is used explicitlyBreaking Change Note
Users running the server with network access will need to add
--host 0.0.0.0explicitly. The default is now localhost-only, which is the correct security posture for a credential-bearing local server.Testing
npx tsc --noEmit)--host 0.0.0.0flag