- Reported
-
- Issued
-
- Package
-
rmcp
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#dns-rebinding
#mcp
#http
- Aliases
-
- References
-
- Related
-
- CVSS Score
- 8.8
HIGH
- CVSS Details
-
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- Scope
- Unchanged
- Confidentiality Impact
- High
- Integrity Impact
- High
- Availability Impact
- High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Patched
-
Description
Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did
not validate the incoming Host header.
This allowed a malicious public website, via a DNS rebinding attack, to send
requests to an MCP server running on the victim's loopback or private-network
interface.
An attacker who convinced a victim to visit a malicious page could enumerate and
invoke tools exposed by a locally running rmcp-based MCP server, read resources
and prompts, and trigger side effects limited by the tools exposed by that
server.
Non-HTTP transports such as stdio and child-process transports are not affected.
Patches
The issue was fixed in rmcp 1.4.0 by adding default loopback-only host
allowlist validation for the Streamable HTTP server transport. Incoming HTTP
requests now validate the Host header and return HTTP 403 when the host is not
allowed.
Users should upgrade to rmcp >= 1.4.0.
Workarounds
If upgrading is not possible, place the MCP server behind a reverse proxy
configured to reject requests whose Host header is not one of the expected
hostnames. Do not bind the MCP server to 0.0.0.0 without such validation.
Advisory available under CC0-1.0
license.