Summary
dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header, which the server would then process. Affects 0.9.3 to 0.9.12. The stdio transport (dynoxide mcp without --http, which is the default) is not affected.
Workarounds
- Upgrade to dynoxide 0.9.13.
- If upgrade is not immediately possible: do not run the MCP HTTP transport. Run
dynoxide mcp(stdio, the default) instead ofdynoxide mcp --http, and don't pass--mcptodynoxide serve.
Resources
- Upstream rmcp advisory: GHSA-89vp-x53w-74fx
- Upstream CVE: CVE-2026-42559
- dynoxide release: v0.9.13
- MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-11-25/basic/transports#security-warning
Credits
Vulnerability identified via GitHub Dependabot alert on the transitive rmcp dependency.
Impact
If a user is running dynoxide mcp --http (or dynoxide serve --mcp) on their machine and then visits a malicious web page, the attacker's JavaScript can call any MCP tool exposed by the running dynoxide instance.
Reachable tools include reads (get_item, query, scan, batch_get_item, describe_table, list_tables) and writes (put_item, update_item, delete_item, create_table, batch_write_item).
Any data in tables that the local dynoxide instance has access to can be read, modified, or destroyed.
A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones. Typical impact: state-changing actions performed as the victim without their consent.
GHSA-FVH2-GM75-J4J7 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.13); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
dynoxide 0.9.13 closes both the named CVE and a related cross-origin CSRF gap:
DNS rebinding (the named CVE).
rmcpis upgraded from 1.1.1 to 1.6.0. rmcp 1.4+ ships a default Host-header allowlist (["localhost", "127.0.0.1", "::1"]) which rejects requests carrying any other Host header with a 403.Defence in depth. Explicit
allowed_hostsandallowed_originslists are now set onStreamableHttpServerConfigdirectly. The Host allowlist protects against a future rmcp default flip. The Origin allowlist closes a related cross-origin CSRF gap that the Host check alone does not address: a malicious page couldfetchthe loopback endpoint withmode: 'no-cors', the Host header would match (it's the literal loopback address the browser is connecting to), but the Origin header would otherwise have been unchecked.
Native MCP clients that don't send an Origin header (Claude Code, Cursor, the dynoxide CLI) are unaffected by the Origin check and continue to work.
Frequently Asked Questions
- What is GHSA-FVH2-GM75-J4J7? GHSA-FVH2-GM75-J4J7 is a high-severity cross-site request forgery (CSRF) vulnerability in dynoxide-rs (rust), affecting versions >= 0.9.3, < 0.9.13. It is fixed in 0.9.13. A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones.
- How severe is GHSA-FVH2-GM75-J4J7? GHSA-FVH2-GM75-J4J7 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by GHSA-FVH2-GM75-J4J7?
dynoxide-rs(rust) (versions >= 0.9.3, < 0.9.13)dynoxide(npm) (versions >= 0.9.3, < 0.9.13)
- Is there a fix for GHSA-FVH2-GM75-J4J7? Yes. GHSA-FVH2-GM75-J4J7 is fixed in 0.9.13. Upgrade to this version or later.
- Is GHSA-FVH2-GM75-J4J7 exploitable, and should I be worried? Whether GHSA-FVH2-GM75-J4J7 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-FVH2-GM75-J4J7 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-FVH2-GM75-J4J7?
- Upgrade
dynoxide-rsto 0.9.13 or later - Upgrade
dynoxideto 0.9.13 or later
- Upgrade