Skip to content

chore: warn about insecure httpHost usage - MCP-184 #541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Sep 10, 2025
+16 −0
Merged

chore: warn about insecure httpHost usage - MCP-184 #541

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c934d82
chore: warn about insecure httpHost usage
blva Sep 10, 2025
b4e62b9
update logs
blva Sep 10, 2025
fead17e
Update src/transports/streamableHttp.ts
blva Sep 10, 2025
2230ce8
update criteria
blva Sep 10, 2025
b7a3dd7
Merge branch 'main' into MCP-184
blva Sep 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/common/logger.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ export const LogId = {
streamableHttpTransportCloseFailure: mongoLogId(1_006_006),
streamableHttpTransportKeepAliveFailure: mongoLogId(1_006_007),
streamableHttpTransportKeepAlive: mongoLogId(1_006_008),
streamableHttpTransportHttpHostWarning: mongoLogId(1_006_009),

exportCleanupError: mongoLogId(1_007_001),
exportCreationError: mongoLogId(1_007_002),
Expand Down
9 changes: 9 additions & 0 deletions src/transports/streamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,15 @@ export class StreamableHttpRunner extends TransportRunnerBase {
message: `Server started on ${this.serverAddress}`,
noRedaction: true,
});

if (this.userConfig.httpHost === "0.0.0.0") {
Copy link

Copilot AI Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning only checks for exact match of '0.0.0.0'. Consider also warning for other non-localhost bindings like '::' (IPv6 all interfaces) or specific external IP addresses that could expose the server to unauthorized access.

Copilot uses AI. Check for mistakes.
this.logger.warning({
id: LogId.streamableHttpTransportHttpHostWarning,
context: "streamableHttpTransport",
message: `Binding to \`0.0.0.0\` exposes the MCP Server to the entire local network, which allows other devices on the same network to potentially access the MCP Server. This is a security risk and could allow unauthorized access to your database context. `,
noRedaction: true,
});
}
}

async closeTransport(): Promise<void> {
Expand Down
Loading