Technologyglobal✓ verified · 90%

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

Name: PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
Start: 2026-06-18T13:52:40Z
Location: Global (internet)

When: 2026-06-18 13:52 UTC
Where: Global (internet)
Category: cyber_advisory · pip

# PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools ## Summary `praisonaiagents.mcp.ToolsMCPServer.run_sse()` builds a Starlette MCP HTTP+SSE server around `mcp.server.sse.SseServerTransport`. The server exposes `/sse` and `/messages/`, but it does not validate `Origin`, does not validate `Host`, and does not require any authentication. This is reachable through supported PraisonAI code paths that wrap configured MCP server tools and re-expose them over legacy SSE: - `praisonai mcp run <name> --transport sse` - `praisonai serve mcp --name <name> --transport sse` - direct use of `ToolsMCPServer(...).run_sse(...)` or `launch_tools_mcp_server(..., transport="sse")` A malicious website can use DNS rebinding against a local or internal PraisonAI SSE MCP server and send requests with attacker-controlled `Host` and `Origin` headers. The local PoV binds only to `127.0.0.1`, sends an attacker `Host` and `Origin`, lists the registered tool, and invokes it successfully. The same attacker `Origin` is rejected by PraisonAI's current Streamable HTTP transport with HTTP 403. The vulnerability is therefore a sibling transport guard gap in the legacy SSE wrapper, not intended behavior. ## Affected product - Repository: `MervinPraison/PraisonAI` - Packages: - `praisonaiagents` - `praisonai` - Primary component: `src/praisonai-agents/praisonaiagents/mcp/mcp_server.py` - CLI wrappers: - `src/praisonai/praisonai/cli/commands/mcp.py` - `src/praisonai/praisonai/cli/commands/serve.py` - Latest verified release/current head: - `praisonaiagents 1.6.58` - `PraisonAI 4.6.58` - repo head `1ad58ca02975ff1398efeda694ea2ab78f20cf3e` Suggested affected ranges: - `praisonaiagents >= 0.6.0, <= 1.6.58` - `praisonai >= 3.10.0, <= 4.6.58` No fixed version is known at submission time. Confirmed source sweep: ```text v3.0.0 ToolsMCPServer.run_sse helper present, no Origin/Host/auth checks v3.10.0 praisonai mcp run --transport sse wraps configured tools into helper v3.12.3 praisonai serve mcp --name --transport sse wraps configured tools v4.0.0 same vulnerable helper and CLI wrapping paths v4.4.12 same vulnerable helper and CLI wrapping paths v4.5.0 same vulnerable helper and CLI wrapping paths v4.5.56 same vulnerable helper and CLI wrapping paths v4.5.139 same vulnerable helper and CLI wrapping paths v4.6.57 same vulnerable helper and CLI wrapping paths v4.6.58 same vulnerable helper and dynamic PoV succeeds ``` ## Impact If a PraisonAI user starts a local or internal legacy SSE MCP server with registered tools, an attacker who gets that user to visit a malicious website can use DNS rebinding to interact with the SSE server through the browser. The attacker can discover exposed tools and invoke them as the local user. Impact depends on the configured tools. In realistic PraisonAI MCP deployments, registered tools may access local files, repositories, issue trackers, cloud APIs, internal services, or other automation targets. This can lead to confidentiality, integrity, and availability impact for the resources reachable by the exposed tools. The PoV is local-only and harmless. It exposes one marker tool that writes a canary string to a temporary directory. ## Root cause Current `ToolsMCPServer.run_sse()` constructs a Starlette app directly: ```python sse_path = "/sse" messages_path = "/messages/" sse_transport = SseServerTransport(messages_path) async def handle_sse(request: Request): async with sse_transport.connect_sse( request.scope, request.receive, request._send ) as (read_stream, write_stream): await mcp._mcp_server.run( read_stream, write_stream, mcp._mcp_server.create_initialization_options() ) app = Starlette( debug=self._debug, routes=[ Route(sse_path, endpoint=handle_sse), Mount(messages_path, app=sse_transport.handle_post_message), ] ) uvicorn.run(app, host=host, port=port) ``` There is no middleware or route-level check for: - `Origin` - `Host` - `Authorization` - API key - allowed origins / allowed hosts The configured CLI wrapper exposes this path: ```python from praisonaiagents.mcp import MCP, ToolsMCPServer cmd_string = " ".join(cmd) mcp = MCP(cmd_string, timeout=60, env=server.env or {}) tools = mcp.get_tools() mcp_server = ToolsMCPServer(name=name, tools=tools) mcp_server.run_sse(host=host, port=port) ``` By contrast, the current Streamable HTTP transport validates `Origin` and returns HTTP 403 for an invalid origin: ```python origin = request.headers.get("Origin") if not self._validate_origin(origin): return JSONResponse(..., status_code=403) ``` ## Local-only PoV Run from the harness checkout: ```bash uv run --with mcp --with starlette --with uvicorn --with httpx --with anyio \ python submission-bundle/praisonai-prai-cand-015-mcp-sse-host-origin-bypass/poc/pov_prai_cand_015_sse_mcp_host_origin_bypass.py \ --repo-src artifacts/repos/praisonai-v4.6.58/src ``` Observed current-head result: ```json { "candidate": "PRAI-CAND-015", "http_stream_control": { "attacker_origin": "http://attacker.example.test", "rejects_attacker_origin": true, "status_code": 403, "transport": "current_http_stream" }, "source_checks": { "has_auth_check": false, "has_host_check": false, "has_origin_check": false, "has_sse_transport": true, "route_count": 2 }, "sse_probe": { "attacker_headers": { "Host": "attacker.example.test:62380", "Origin": "http://attacker.example.test:62380" }, "bind_host": "127.0.0.1", "marker_value": "executed-from-attacker-origin", "marker_written": true, "server_started": true, "tool_call_content": [ "recorded:executed-from-attacker-origin" ], "tool_call_error": false, "tool_names": [ "record_marker" ], "vulnerable": true }, "vulnerable": true } ``` The PoV: 1. imports the current `ToolsMCPServer`; 2. registers one marker tool; 3. monkey-patches `uvicorn.run` only to capture the exact Starlette app created by `run_sse()`; 4. starts that app on `127.0.0.1`; 5. connects to `/sse` with attacker-controlled `Host` and `Origin`; 6. lists tools and calls the marker tool; 7. runs a control against PraisonAI's current Streamable HTTP transport and confirms the same attacker `Origin` is rejected with HTTP 403. ## Why this is not intended behavior This is not only a trust-model disagreement. PraisonAI's MCP documentation describes Streamable HTTP, WebSocket, and legacy SSE as supported MCP transport mechanisms. The same documentation says the MCP module's security properties include origin validation, authentication headers, and secure session IDs. The transport guide also has a dedicated security section for origin validation as DNS rebinding prevention and authentication. The official MCP specification warns that HTTP transports need origin validation to prevent DNS rebinding, should bind locally for local servers, and should implement authentication. It also says that without those protections, remote websites can interact with local MCP servers. The upstream MCP Python SDK advisory `GHSA-9h52-p55h-vw2f` / `CVE-2025-66416` classifies unauthenticated localhost HTTP/SSE MCP servers without DNS rebinding protection as a High severity issue because malicious websites can invoke tools or access resources exposed by the local MCP server. That advisory also says custom low-level `SseServerTransport` configurations should explicitly configure transport security settings when running unauthenticated localhost servers. PraisonAI's current Streamable HTTP implementation already enforces an Origin guard and rejects the exact attacker Origin used in the PoV. The issue is that the legacy SSE sibling path lacks the same boundary. ## Suggested severity Suggested severity: High. Rationale: - `AV`: the attack uses browser-origin HTTP requ

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 13:52 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map