PT-2026-25882 · Pypi · Mcp-Memory-Service

Publicado

2026-03-07

·

Atualizado

2026-03-07

CVSS v3.1

8.1

Alta

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

When the HTTP server is enabled (MCP HTTP ENABLED=true), the application configures FastAPI's CORSMiddleware with allow origins=['*'], allow credentials=True, allow methods=["*"], and allow headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP ALLOW ANONYMOUS ACCESS=true) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories.

Details

Vulnerable Code

config.py:546 - Wildcard CORS origin default
python
CORS ORIGINS = os.getenv('MCP CORS ORIGINS', '*').split(',')
This produces ['*'] by default, allowing any origin.
app.py:274-280 - CORSMiddleware configuration
python
# CORS middleware
app.add middleware(
  CORSMiddleware,
  allow origins=CORS ORIGINS,    # ['*'] by default
  allow credentials=True,       # Unnecessary for anonymous access; bad practice
  allow methods=["*"],
  allow headers=["*"],
)

How the Attack Works

The wildcard CORS default means every API response includes Access-Control-Allow-Origin: *. This tells browsers to allow any website to read the response. When combined with anonymous access (no authentication required), the attack is straightforward:
javascript
// Running on https://evil.com - reads victim's memories
// No credentials needed - anonymous access means the API is open
const response = await fetch('http://192.168.1.100:8000/api/memories');
const memories = await response.json();
// memories contains every stored memory - passwords, API keys, personal notes
The browser sends the request, the server responds with ACAO: *, and the browser allows the JavaScript to read the response body. No cookies, no auth headers, no credentials of any kind.
Clarification on allow credentials=True: The advisory originally stated that Starlette reflects the Origin header when allow credentials=True with wildcard origins. Testing with Starlette 0.52.1 shows that actual responses return ACAO: * (not the reflected origin); only preflight OPTIONS responses reflect the origin. Per the Fetch specification, browsers block ACAO: * when credentials: 'include' is used. However, this is irrelevant to the attack because anonymous access means no credentials are needed - a plain fetch() without credentials: 'include' works, and ACAO: * allows it.

Two Attack Vectors

This misconfiguration enables two distinct attack paths:
1. Cross-origin browser attack (CORS - this advisory)
  • Attacker lures victim to a malicious webpage
  • JavaScript on the page reads/writes the memory service API
  • Works from anywhere on the internet if the victim visits the page
  • The ACAO: * header is what allows the browser to expose the response to the attacker's JavaScript
2. Direct network access (compounding factor)
  • Attacker on the same network directly calls the API (curl http://<target>:8000/api/memories)
  • No CORS involved - CORS is a browser-only restriction
  • Enabled by 0.0.0.0 binding + anonymous access, independent of CORS configuration
The CORS misconfiguration specifically enables attack vector #1, extending the reach from local network to anyone who can get the victim to click a link.

Compounding Factors

  • HTTP HOST = '0.0.0.0' - Binds to all interfaces, exposing the service to the entire network (enables attack vector #2)
  • HTTPS ENABLED = 'false' - No TLS by default, allowing passive interception
  • MCP ALLOW ANONYMOUS ACCESS - When enabled, no authentication is required at all. This is the key enabler: without it, the CORS wildcard alone would not allow data access (the attacker would need to forward valid credentials, which ACAO: * blocks)
  • allow credentials=True - Bad practice: if a future Starlette version changes to reflect origins (as some CORS implementations do), this would escalate the vulnerability by allowing credential-forwarding attacks against OAuth/API-key users
  • API key via query parameter - api key query param is cached in browser history and server logs

Attack Scenario

  1. Victim runs mcp-memory-service with HTTP enabled and anonymous access
  2. Victim visits https://evil.com which includes JavaScript
  3. JavaScript sends fetch('http://<victim-ip>:8000/api/memories') (no credentials needed)
  4. Server responds with Access-Control-Allow-Origin: *
  5. Browser allows JavaScript to read the response - attacker receives all memories
  6. Attacker's script also calls DELETE/PUT endpoints to modify or destroy memories
  7. Victim sees a normal web page; no indication of the attack

Root Cause

The default value of MCP CORS ORIGINS is *, which allows any website to read API responses. This is a permissive default that should be restricted to the expected dashboard origin (typically localhost). The allow credentials=True is an additional misconfiguration that doesn't currently enable the attack.

PoC

python
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from starlette.testclient import TestClient

app = FastAPI()
app.add middleware(
  CORSMiddleware,
  allow origins=["*"],
  allow credentials=True,
  allow methods=["*"],
  allow headers=["*"],
)

@app.get("/api/memories")
def memories():
  return [{"content": "secret memory data"}]

client = TestClient(app)

# Non-credentialed request (how the real attack works with anonymous access)
response = client.get("/api/memories", headers={"Origin": "https://evil.com"})
print(response.headers["access-control-allow-origin"]) # *
print(response.json()) # [{"content": "secret memory data"}]
# Any website can read this response because ACAO is *

Impact

  • Complete cross-origin memory access: Any website can read all stored memories when the victim has the HTTP server running with anonymous access
  • Memory tampering: Write/delete endpoints are also accessible cross-origin, allowing memory destruction
  • Remote attack surface: Unlike direct network access (which requires LAN proximity), the CORS vector works from anywhere on the internet - the victim just needs to visit a link
  • Silent exfiltration: The attack is invisible to the victim; no browser warnings, no popups, no indicators

Remediation

Replace the wildcard default with an explicit localhost origin:
python
# In config.py (safe default)
CORS ORIGINS = os.getenv('MCP CORS ORIGINS', 'http://localhost:8000,http://127.0.0.1:8000').split(',')

# In app.py - warn on wildcard
if '*' in CORS ORIGINS:
  logger.warning("Wildcard CORS origin detected. This allows any website to access the API. "
          "Set MCP CORS ORIGINS to restrict access.")

# Also: set allow credentials=False unless specific origins are configured
app.add middleware(
  CORSMiddleware,
  allow origins=CORS ORIGINS,
  allow credentials='*' not in CORS ORIGINS, # Only with explicit origins
  allow methods=["*"],
  allow headers=["*"],
)

Affected Deployments

The vulnerability exists in the Python source code and is not mitigated by any deployment-specific configuration. Docker HTTP mode is the highest-risk deployment because it explicitly binds to 0.0.0.0, maps the port, and does not override the wildcard CORS default.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-942

Identificadores relacionados

GHSA-G9RG-8VQ5-MPWM

Produtos afetados

Mcp-Memory-Service