RMCP Rust SDK Streamable HTTP Server Host Header Validation Vulnerability Allowing DNS Rebinding

A DNS rebinding vulnerability has been identified in the RMCP Rust SDK, specifically in the Streamable HTTP server transport, prior to version 1.4.0. The issue arises because the server did not validate the incoming Host header, allowing malicious websites to send authenticated requests to MCP servers on the victim's loopback or private-network interface. This behavior violated the MCP specification's transport security guidance. The vulnerability is now fixed in version 1.4.0, which includes proper Host header validation to prevent such attacks.

Impact

Exploitation of this vulnerability allowed attackers to send authenticated requests to a victim's MCP server, potentially leading to unauthorized access and manipulation of resources, prompts, and session states. Such actions could trigger side effects like file writes, shell executions, or API calls, depending on the tools exposed by the victim's server. Since MCP servers often run with user privileges and provide access to developer tools, the vulnerability could result in arbitrary code execution on the victim's machine.

Reproduction

The vulnerability can be reproduced by hosting an RMCP-based MCP server using the Streamable HTTP server transport version prior to 1.4.0. A malicious public website can then be set up to perform a DNS rebinding attack, sending authenticated requests to the MCP server running on the victim's loopback or private-network interface. This can be done by first binding a domain to the victim's IP address and then, after the DNS has propagated, rebinding it to a malicious server that sends requests to the local MCP server.

Remediation

Users are advised to upgrade to RMCP version 1.4.0 or later. If an upgrade is not possible, the MCP server can be placed behind a reverse proxy, such as Nginx or Caddy, configured to reject requests with unexpected Host headers. However, this workaround is not recommended without an upstream reverse proxy that validates Host headers.