Skip to content

RUSTSEC-2026-0189: DNS rebinding vulnerability in rmcp Streamable HTTP server transport #993

Description

@github-actions

DNS rebinding vulnerability in rmcp Streamable HTTP server transport

Details
Package rmcp
Version 0.16.0
URL GHSA-89vp-x53w-74fx
Date 2026-04-29
Patched versions >=1.4.0

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did
not validate the incoming Host header.

This allowed a malicious public website, via a DNS rebinding attack, to send
requests to an MCP server running on the victim's loopback or private-network
interface.

An attacker who convinced a victim to visit a malicious page could enumerate and
invoke tools exposed by a locally running rmcp-based MCP server, read resources
and prompts, and trigger side effects limited by the tools exposed by that
server.

Non-HTTP transports such as stdio and child-process transports are not affected.

Patches

The issue was fixed in rmcp 1.4.0 by adding default loopback-only host
allowlist validation for the Streamable HTTP server transport. Incoming HTTP
requests now validate the Host header and return HTTP 403 when the host is not
allowed.

Users should upgrade to rmcp >= 1.4.0.

Workarounds

If upgrading is not possible, place the MCP server behind a reverse proxy
configured to reject requests whose Host header is not one of the expected
hostnames. Do not bind the MCP server to 0.0.0.0 without such validation.

See advisory page for additional details.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions