fix: replace CORS wildcard+credentials with explicit origin allowlist#94
Conversation
Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
c0e48d4 to
c594a7f
Compare
|
Hi maintainers — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback, so I wanted to resurface it. Happy to rebase, adjust the approach, add tests, or split the change differently if that would make review easier. Thanks! |
|
Hi — this security PR has been open for 40 days without maintainer response. Per our responsible disclosure policy, I'll be closing this PR shortly. I may resubmit via a bounty platform if appropriate. Thanks for your time. |
|
Closing per responsible disclosure policy: 35+ days open with no maintainer response. May resubmit via bounty platform. |
|
This security fix has been open for 30+ days. Per our responsible disclosure timeline, we'd like to move toward resolution. We can: (1) rebase and adjust the patch, (2) reach out via security@ email, or (3) resubmit via a bounty platform. Please let us know your preference. |
Summary
The FastAPI MCP transport configures CORS with
allow_origins=["*"]ANDallow_credentials=True. This combination is disallowed by the Fetch spec but the framework still sets the headers. Any origin can read cross-origin responses from MCP tool endpoints, enabling data exfiltration of tool outputs.Fix
Replace wildcard with
A2A_MCP_ALLOWED_ORIGINSenv var allowlist. Setallow_credentials=Falseby default. Restrict methods and headers to only what is needed.Test Plan
A2A_MCP_ALLOWED_ORIGINS=https://app.example.com, only that origin can access MCP endpointsallow_credentials=Falseis setSecurity Note
Severity: High. CORS wildcard + credentials on MCP tool endpoints enables cross-origin data exfiltration.