Google MCP Toolbox DNS Rebinding Vulnerability via Hardcoded CORS Bypass in SSE

A vulnerability in Google MCP Toolbox allows for DNS rebinding attacks by improperly handling Cross-Origin Resource Sharing (CORS) headers in Server-Sent Events (SSE) connections. The issue arises from a hardcoded 'Access-Control-Allow-Origin: *' header in the SSE initialization, which overrides the global CORS policy and fails to respect the 'allowed-origins' and 'allowed-hosts' flags intended to enhance security. This vulnerability affects users connecting through the Toolbox via SSE under specification v2024-11-05.

Impact

The vulnerability bypasses the intended CORS policy, allowing any website to connect to the MCP Toolbox, hijack session IDs, and execute tools on behalf of the user. Additionally, it could enable data exfiltration from connected databases, such as Postgres or BigQuery.

Remediation

The vulnerability has been addressed in version 1.2.0 of Google MCP Toolbox by removing the hardcoded CORS header and allowing the global CORS middleware to manage origins based on administrator-configured flags.