Summary
The mcp-toolbox (formerly genai-toolbox) implements a global CORS (Cross-Origin Resource Sharing) middleware in internal/server/server.go but overrides it with a hardcoded Access-Control-Allow-Origin: * in the SSE handler for the Model Context Protocol (MCP).
Technical Details
In internal/server/mcp.go:370, the sseHandler manually sets the header:
w.Header().Set("Access-Control-Allow-Origin", "*")This hardcoded value overrides the global CORS policy, allowing any website to establish a connection to the toolbox, hijack session IDs, and execute arbitrary tools on behalf of the user.
Impact
- Security Policy Bypass: Renders the
--allowed-origins flag ineffective for the SSE endpoint.
- CSRF / Session Hijacking: Malicious sites can use the toolbox as a proxy to exfiltrate data from databases (Postgres, BigQuery, etc.) configured in the toolbox.
Recommended Mitigation
Remove the hardcoded header at line 370 of internal/server/mcp.go. The global CORS middleware in internal/server/server.go is already correctly configured to handle this based on administrator flags.
CC: @averikitsch
Summary
The
mcp-toolbox(formerlygenai-toolbox) implements a global CORS (Cross-Origin Resource Sharing) middleware ininternal/server/server.gobut overrides it with a hardcodedAccess-Control-Allow-Origin: *in the SSE handler for the Model Context Protocol (MCP).Technical Details
In
internal/server/mcp.go:370, thesseHandlermanually sets the header:This hardcoded value overrides the global CORS policy, allowing any website to establish a connection to the toolbox, hijack session IDs, and execute arbitrary tools on behalf of the user.
Impact
--allowed-originsflag ineffective for the SSE endpoint.Recommended Mitigation
Remove the hardcoded header at line 370 of
internal/server/mcp.go. The global CORS middleware ininternal/server/server.gois already correctly configured to handle this based on administrator flags.CC: @averikitsch