Skip to content

fix: replace CORS wildcard+credentials with explicit origin allowlist#94

Open
Joshua-Medvinsky wants to merge 1 commit into
themanojdesai:mainfrom
Joshua-Medvinsky:fix/find-003-cors-credentials-fastapi
Open

fix: replace CORS wildcard+credentials with explicit origin allowlist#94
Joshua-Medvinsky wants to merge 1 commit into
themanojdesai:mainfrom
Joshua-Medvinsky:fix/find-003-cors-credentials-fastapi

Conversation

@Joshua-Medvinsky

Copy link
Copy Markdown

Summary

The FastAPI MCP transport configures CORS with allow_origins=["*"] AND allow_credentials=True. This combination is disallowed by the Fetch spec but the framework still sets the headers. Any origin can read cross-origin responses from MCP tool endpoints, enabling data exfiltration of tool outputs.

Fix

Replace wildcard with A2A_MCP_ALLOWED_ORIGINS env var allowlist. Set allow_credentials=False by default. Restrict methods and headers to only what is needed.

Test Plan

  • With A2A_MCP_ALLOWED_ORIGINS=https://app.example.com, only that origin can access MCP endpoints
  • Without the env var, no CORS headers are sent
  • allow_credentials=False is set

Security Note

Severity: High. CORS wildcard + credentials on MCP tool endpoints enables cross-origin data exfiltration.

Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
@Joshua-Medvinsky Joshua-Medvinsky force-pushed the fix/find-003-cors-credentials-fastapi branch from c0e48d4 to c594a7f Compare June 10, 2026 03:22
@failsafesecurity

Copy link
Copy Markdown

Hi maintainers — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback, so I wanted to resurface it.

Happy to rebase, adjust the approach, add tests, or split the change differently if that would make review easier. Thanks!

@failsafesecurity

Copy link
Copy Markdown

Hi — this security PR has been open for 40 days without maintainer response. Per our responsible disclosure policy, I'll be closing this PR shortly. I may resubmit via a bounty platform if appropriate. Thanks for your time.

@failsafesecurity

Copy link
Copy Markdown

Closing per responsible disclosure policy: 35+ days open with no maintainer response. May resubmit via bounty platform.

@failsafesecurity

Copy link
Copy Markdown

This security fix has been open for 30+ days. Per our responsible disclosure timeline, we'd like to move toward resolution. We can: (1) rebase and adjust the patch, (2) reach out via security@ email, or (3) resubmit via a bounty platform. Please let us know your preference.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants