GHSA-FVH2-GM75-J4J7

GHSA-FVH2-GM75-J4J7 is a high-severity cross-site request forgery (CSRF) vulnerability in dynoxide-rs (rust), affecting versions >= 0.9.3, < 0.9.13. It is fixed in 0.9.13.

Summary

dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header, which the server would then process. Affects 0.9.3 to 0.9.12. The stdio transport (dynoxide mcp without --http, which is the default) is not affected.

Workarounds

  • Upgrade to dynoxide 0.9.13.
  • If upgrade is not immediately possible: do not run the MCP HTTP transport. Run dynoxide mcp (stdio, the default) instead of dynoxide mcp --http, and don't pass --mcp to dynoxide serve.

Resources

Credits

Vulnerability identified via GitHub Dependabot alert on the transitive rmcp dependency.

Impact

If a user is running dynoxide mcp --http (or dynoxide serve --mcp) on their machine and then visits a malicious web page, the attacker's JavaScript can call any MCP tool exposed by the running dynoxide instance.

Reachable tools include reads (get_item, query, scan, batch_get_item, describe_table, list_tables) and writes (put_item, update_item, delete_item, create_table, batch_write_item).

Any data in tables that the local dynoxide instance has access to can be read, modified, or destroyed.

A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones. Typical impact: state-changing actions performed as the victim without their consent.

GHSA-FVH2-GM75-J4J7 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.13); upgrading removes the vulnerable code path.

Affected versions

dynoxide-rs (>= 0.9.3, < 0.9.13) dynoxide (>= 0.9.3, < 0.9.13)

Security releases

dynoxide-rs → 0.9.13 (rust) dynoxide → 0.9.13 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

dynoxide 0.9.13 closes both the named CVE and a related cross-origin CSRF gap:

  1. DNS rebinding (the named CVE). rmcp is upgraded from 1.1.1 to 1.6.0. rmcp 1.4+ ships a default Host-header allowlist (["localhost", "127.0.0.1", "::1"]) which rejects requests carrying any other Host header with a 403.

  2. Defence in depth. Explicit allowed_hosts and allowed_origins lists are now set on StreamableHttpServerConfig directly. The Host allowlist protects against a future rmcp default flip. The Origin allowlist closes a related cross-origin CSRF gap that the Host check alone does not address: a malicious page could fetch the loopback endpoint with mode: 'no-cors', the Host header would match (it's the literal loopback address the browser is connecting to), but the Origin header would otherwise have been unchecked.

Native MCP clients that don't send an Origin header (Claude Code, Cursor, the dynoxide CLI) are unaffected by the Origin check and continue to work.

Frequently Asked Questions

  1. What is GHSA-FVH2-GM75-J4J7? GHSA-FVH2-GM75-J4J7 is a high-severity cross-site request forgery (CSRF) vulnerability in dynoxide-rs (rust), affecting versions >= 0.9.3, < 0.9.13. It is fixed in 0.9.13. A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones.
  2. How severe is GHSA-FVH2-GM75-J4J7? GHSA-FVH2-GM75-J4J7 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by GHSA-FVH2-GM75-J4J7?
    • dynoxide-rs (rust) (versions >= 0.9.3, < 0.9.13)
    • dynoxide (npm) (versions >= 0.9.3, < 0.9.13)
  4. Is there a fix for GHSA-FVH2-GM75-J4J7? Yes. GHSA-FVH2-GM75-J4J7 is fixed in 0.9.13. Upgrade to this version or later.
  5. Is GHSA-FVH2-GM75-J4J7 exploitable, and should I be worried? Whether GHSA-FVH2-GM75-J4J7 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-FVH2-GM75-J4J7 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-FVH2-GM75-J4J7?
    • Upgrade dynoxide-rs to 0.9.13 or later
    • Upgrade dynoxide to 0.9.13 or later

Other vulnerabilities in dynoxide-rs

Stop the waste.
Protect your environment with Kodem.