DNS rebinding vulnerability in rmcp Streamable HTTP server transport
| Details |
|
| Package |
rmcp |
| Version |
0.16.0 |
| URL |
GHSA-89vp-x53w-74fx |
| Date |
2026-04-29 |
| Patched versions |
>=1.4.0 |
Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did
not validate the incoming Host header.
This allowed a malicious public website, via a DNS rebinding attack, to send
requests to an MCP server running on the victim's loopback or private-network
interface.
An attacker who convinced a victim to visit a malicious page could enumerate and
invoke tools exposed by a locally running rmcp-based MCP server, read resources
and prompts, and trigger side effects limited by the tools exposed by that
server.
Non-HTTP transports such as stdio and child-process transports are not affected.
Patches
The issue was fixed in rmcp 1.4.0 by adding default loopback-only host
allowlist validation for the Streamable HTTP server transport. Incoming HTTP
requests now validate the Host header and return HTTP 403 when the host is not
allowed.
Users should upgrade to rmcp >= 1.4.0.
Workarounds
If upgrading is not possible, place the MCP server behind a reverse proxy
configured to reject requests whose Host header is not one of the expected
hostnames. Do not bind the MCP server to 0.0.0.0 without such validation.
See advisory page for additional details.
rmcp0.16.0>=1.4.0Prior to version 1.4.0, the
rmcpcrate's Streamable HTTP server transport didnot validate the incoming
Hostheader.This allowed a malicious public website, via a DNS rebinding attack, to send
requests to an MCP server running on the victim's loopback or private-network
interface.
An attacker who convinced a victim to visit a malicious page could enumerate and
invoke tools exposed by a locally running rmcp-based MCP server, read resources
and prompts, and trigger side effects limited by the tools exposed by that
server.
Non-HTTP transports such as stdio and child-process transports are not affected.
Patches
The issue was fixed in
rmcp1.4.0 by adding default loopback-only hostallowlist validation for the Streamable HTTP server transport. Incoming HTTP
requests now validate the
Hostheader and return HTTP 403 when the host is notallowed.
Users should upgrade to
rmcp >= 1.4.0.Workarounds
If upgrading is not possible, place the MCP server behind a reverse proxy
configured to reject requests whose
Hostheader is not one of the expectedhostnames. Do not bind the MCP server to
0.0.0.0without such validation.See advisory page for additional details.