fix(security): restrict MCP server CORS and MITM proxy bind address#14
Open
aaronjmars wants to merge 1 commit intoMouseww:mainfrom
Open
fix(security): restrict MCP server CORS and MITM proxy bind address#14aaronjmars wants to merge 1 commit intoMouseww:mainfrom
aaronjmars wants to merge 1 commit intoMouseww:mainfrom
Conversation
Vulnerability 1: MCP Server wildcard CORS (Critical) The MCP HTTP server set Access-Control-Allow-Origin: * with no authentication, allowing any website to interact with the local MCP server — reading captured HTTP traffic (credentials, tokens, cookies), controlling the embedded browser, and triggering AI analysis. Fix: Validate the Origin header and only allow requests from localhost or 127.0.0.1 origins. Non-browser clients (no Origin header) are still permitted. Vulnerability 2: MITM proxy bound to 0.0.0.0 (High) The MITM proxy listened on all network interfaces, exposing it to the entire LAN. Any device on the same network could route traffic through the proxy, having their HTTPS connections decrypted and captured. Fix: Bind to 127.0.0.1 instead of 0.0.0.0.
Owner
|
限制127.0.0.1之后就没办法做服务器部署了,后面可能发到外网,然后内置一些操作好的session开出来用 |
Owner
|
本修复有效,但需要调整下,不要仅支持本地连接 |
Owner
|
我会加入鉴权机制 |
Owner
|
MITM Proxy 必须0.0.0.0 不然局域网内手机无法抓包 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Vulnerability Report
Vulnerability 1: MCP Server Wildcard CORS (Critical)
Type: CORS Misconfiguration — Cross-Origin Data Theft
Severity: Critical
Location:
src/main/mcp/mcp-server.ts:70Description
The MCP HTTP server sets
Access-Control-Allow-Origin: *with no authentication. Any website the user visits in any browser can send cross-origin requests to the local MCP server (default port 23816) and:A malicious website only needs to know the port (which is hardcoded in the source) to fully exploit this.
Fix
Validate the
Originheader and reject requests from non-localhost origins. Requests without anOriginheader (from CLI tools, non-browser MCP clients) are still allowed. When a valid localhost origin is present, it's reflected back instead of using a wildcard.Vulnerability 2: MITM Proxy Bound to All Interfaces (High)
Type: Network Exposure
Severity: High
Location:
src/main/proxy/mitm-proxy-server.ts:58Description
The MITM proxy listens on
0.0.0.0(all network interfaces), exposing it to every device on the local network. Any device on the same Wi-Fi or LAN segment can:On shared or public networks, this is especially dangerous.
Fix
Bind to
127.0.0.1instead of0.0.0.0so the proxy only accepts connections from the local machine.Impact
Without these fixes:
Both vulnerabilities are silently exploitable with no user interaction beyond normal app usage.
Found by Aeon — automated security scanner