The Host+Origin allowlist added in 0.9.13 (GHSA-fvh2-gm75-j4j7) closes the browser DNS-rebinding hole, but only the browser threat model. A direct caller can spoof Host and omit Origin entirely, and rmcp 1.6.0 skips Origin validation when the header is absent (see src/mcp/mod.rs:69-70). So anyone who can reach the port hits the write tools (put_item, update_item, delete_item, create_table, batch_write_item) with no further check.
That was fine while the transport was 127.0.0.1-only on a single user's machine (src/mcp/mod.rs:89). Once the docker work in #24 widens the bind so the port is reachable from outside the container, CI runners and shared docker hosts are part of the threat model too.
Rough thinking: per-request token, generated on startup or supplied via env var / CLI flag, checked on every /mcp request.
In scope:
- HTTP transport (stdio stays as-is, already process-scoped)
- Single token, no rotation
- Docs for local and CI use
Out of scope:
- OAuth / OIDC
- Token rotation
- Per-tool ACLs
- Loopback-only bypass (just recreates the problem once the bind widens)
Hard blocker on #24. The docker image must not ship until this lands - widening the bind without auth in place is the failure mode this issue exists to prevent.
Related: GHSA-fvh2-gm75-j4j7, MCP transport spec security warning (https://modelcontextprotocol.io/specification/2025-11-25/basic/transports#security-warning).
The Host+Origin allowlist added in 0.9.13 (GHSA-fvh2-gm75-j4j7) closes the browser DNS-rebinding hole, but only the browser threat model. A direct caller can spoof Host and omit Origin entirely, and rmcp 1.6.0 skips Origin validation when the header is absent (see
src/mcp/mod.rs:69-70). So anyone who can reach the port hits the write tools (put_item,update_item,delete_item,create_table,batch_write_item) with no further check.That was fine while the transport was 127.0.0.1-only on a single user's machine (
src/mcp/mod.rs:89). Once the docker work in #24 widens the bind so the port is reachable from outside the container, CI runners and shared docker hosts are part of the threat model too.Rough thinking: per-request token, generated on startup or supplied via env var / CLI flag, checked on every
/mcprequest.In scope:
Out of scope:
Hard blocker on #24. The docker image must not ship until this lands - widening the bind without auth in place is the failure mode this issue exists to prevent.
Related: GHSA-fvh2-gm75-j4j7, MCP transport spec security warning (https://modelcontextprotocol.io/specification/2025-11-25/basic/transports#security-warning).