Model Context Protocol Java SDK Hardcoded Wildcard CORS Vulnerability

A hardcoded wildcard Cross-Origin Resource Sharing (CORS) vulnerability has been identified in the Model Context Protocol (MCP) Java SDK, specifically in versions prior to 1.0.1 and 1.1.1. This vulnerability allows any origin to access server-sent events (SSE) from the affected server, potentially exposing sensitive information such as session IDs.

Impact

Exploitation of this vulnerability allows for unauthorized cross-origin access to server-sent events, enabling an attacker to intercept session IDs and relay messages through the victim's browser.

Remediation

Users can update to MCP Java SDK versions 1.0.1 or 1.1.1 to address this vulnerability. For additional CORS management, server implementors can add a CORS filter at the servlet filter or Spring Security layer.