Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did
not validate the incoming Host header.
This allowed a malicious public website, via a DNS rebinding attack, to send requests to an MCP server running on the victim's loopback or private-network interface.
An attacker who convinced a victim to visit a malicious page could enumerate and invoke tools exposed by a locally running rmcp-based MCP server, read resources and prompts, and trigger side effects limited by the tools exposed by that server.
Non-HTTP transports such as stdio and child-process transports are not affected.
The issue was fixed in rmcp 1.4.0 by adding default loopback-only host
allowlist validation for the Streamable HTTP server transport. Incoming HTTP
requests now validate the Host header and return HTTP 403 when the host is not
allowed.
Users should upgrade to rmcp >= 1.4.0.
If upgrading is not possible, place the MCP server behind a reverse proxy
configured to reject requests whose Host header is not one of the expected
hostnames. Do not bind the MCP server to 0.0.0.0 without such validation.
{
"license": "CC0-1.0"
}