Summary
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
praisonaiagents.mcp.ToolsMCPServer.run_sse() builds a Starlette MCP
HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes/sse and /messages/, but it does not validate Origin, does not validateHost, and does not require any authentication.
This is reachable through supported PraisonAI code paths that wrap configured
MCP server tools and re-expose them over legacy SSE:
praisonai mcp run <name> --transport ssepraisonai serve mcp --name <name> --transport sse- direct use of
ToolsMCPServer(...).run_sse(...)orlaunch_tools_mcp_server(..., transport="sse")
A malicious website can use DNS rebinding against a local or internal
PraisonAI SSE MCP server and send requests with attacker-controlled Host andOrigin headers. The local PoV binds only to 127.0.0.1, sends an attackerHost and Origin, lists the registered tool, and invokes it successfully.
The same attacker Origin is rejected by PraisonAI's current Streamable HTTP
transport with HTTP 403. The vulnerability is therefore a sibling transport
guard gap in the legacy SSE wrapper, not intended behavior.
Affected product
- Repository:
MervinPraison/PraisonAI - Packages:
praisonaiagentspraisonai
- Primary component:
src/praisonai-agents/praisonaiagents/mcp/mcp_server.py - CLI wrappers:
src/praisonai/praisonai/cli/commands/mcp.pysrc/praisonai/praisonai/cli/commands/serve.py
- Latest verified release/current head:
praisonaiagents 1.6.58PraisonAI 4.6.58- repo head
1ad58ca02975ff1398efeda694ea2ab78f20cf3e
Suggested affected ranges:
praisonaiagents >= 0.6.0, <= 1.6.58praisonai >= 3.10.0, <= 4.6.58
No fixed version is known at submission time.
Confirmed source sweep:
v3.0.0 ToolsMCPServer.run_sse helper present, no Origin/Host/auth checks
v3.10.0 praisonai mcp run --transport sse wraps configured tools into helper
v3.12.3 praisonai serve mcp --name --transport sse wraps configured tools
v4.0.0 same vulnerable helper and CLI wrapping paths
v4.4.12 same vulnerable helper and CLI wrapping paths
v4.5.0 same vulnerable helper and CLI wrapping paths
v4.5.56 same vulnerable helper and CLI wrapping paths
v4.5.139 same vulnerable helper and CLI wrapping paths
v4.6.57 same vulnerable helper and CLI wrapping paths
v4.6.58 same vulnerable helper and dynamic PoV succeeds
Root cause
Current ToolsMCPServer.run_sse() constructs a Starlette app directly:
sse_path = "/sse"
messages_path = "/messages/"
sse_transport = SseServerTransport(messages_path)
async def handle_sse(request: Request):
async with sse_transport.connect_sse(
request.scope, request.receive, request._send
) as (read_stream, write_stream):
await mcp._mcp_server.run(
read_stream,
write_stream,
mcp._mcp_server.create_initialization_options()
)
app = Starlette(
debug=self._debug,
routes=[
Route(sse_path, endpoint=handle_sse),
Mount(messages_path, app=sse_transport.handle_post_message),
]
)
uvicorn.run(app, host=host, port=port)
There is no middleware or route-level check for:
OriginHostAuthorization- API key
- allowed origins / allowed hosts
The configured CLI wrapper exposes this path:
from praisonaiagents.mcp import MCP, ToolsMCPServer
cmd_string = " ".join(cmd)
mcp = MCP(cmd_string, timeout=60, env=server.env or {})
tools = mcp.get_tools()
mcp_server = ToolsMCPServer(name=name, tools=tools)
mcp_server.run_sse(host=host, port=port)
By contrast, the current Streamable HTTP transport validates Origin and
returns HTTP 403 for an invalid origin:
origin = request.headers.get("Origin")
if not self._validate_origin(origin):
return JSONResponse(..., status_code=403)
Local-only PoV
Run from the harness checkout:
uv run --with mcp --with starlette --with uvicorn --with httpx --with anyio \
python submission-bundle/praisonai-prai-cand-015-mcp-sse-host-origin-bypass/poc/pov_prai_cand_015_sse_mcp_host_origin_bypass.py \
--repo-src artifacts/repos/praisonai-v4.6.58/src
Observed current-head result:
{
"candidate": "PRAI-CAND-015",
"http_stream_control": {
"attacker_origin": "http://attacker.example.test",
"rejects_attacker_origin": true,
"status_code": 403,
"transport": "current_http_stream"
},
"source_checks": {
"has_auth_check": false,
"has_host_check": false,
"has_origin_check": false,
"has_sse_transport": true,
"route_count": 2
},
"sse_probe": {
"attacker_headers": {
"Host": "attacker.example.test:62380",
"Origin": "http://attacker.example.test:62380"
},
"bind_host": "127.0.0.1",
"marker_value": "executed-from-attacker-origin",
"marker_written": true,
"server_started": true,
"tool_call_content": [
"recorded:executed-from-attacker-origin"
],
"tool_call_error": false,
"tool_names": [
"record_marker"
],
"vulnerable": true
},
"vulnerable": true
}
The PoV:
- imports the current
ToolsMCPServer; - registers one marker tool;
- monkey-patches
uvicorn.runonly to capture the exact Starlette app created
byrun_sse(); - starts that app on
127.0.0.1; - connects to
/ssewith attacker-controlledHostandOrigin; - lists tools and calls the marker tool;
- runs a control against PraisonAI's current Streamable HTTP transport and
confirms the same attackerOriginis rejected with HTTP 403.
Why this is not intended behavior
This is not only a trust-model disagreement.
PraisonAI's MCP documentation describes Streamable HTTP, WebSocket, and legacy
SSE as supported MCP transport mechanisms. The same documentation says the MCP
module's security properties include origin validation, authentication headers,
and secure session IDs. The transport guide also has a dedicated security
section for origin validation as DNS rebinding prevention and authentication.
The official MCP specification warns that HTTP transports need origin
validation to prevent DNS rebinding, should bind locally for local servers, and
should implement authentication. It also says that without those protections,
remote websites can interact with local MCP servers.
The upstream MCP Python SDK advisory GHSA-9h52-p55h-vw2f / CVE-2025-66416
classifies unauthenticated localhost HTTP/SSE MCP servers without DNS rebinding
protection as a High severity issue because malicious websites can invoke tools
or access resources exposed by the local MCP server. That advisory also says
custom low-level SseServerTransport configurations should explicitly configure
transport security settings when running unauthenticated localhost servers.
PraisonAI's current Streamable HTTP implementation already enforces an Origin
guard and rejects the exact attacker Origin used in the PoV. The issue is that
the legacy SSE sibling path lacks the same boundary.
Suggested severity
Suggested severity: High.
Rationale:
AV: the attack uses browser-origin HTTP requests to a local/internal
service.AC: practical exploitation requires DNS rebinding or equivalent browser
origin setup.PR: no PraisonAI credentials are required by the SSE server.UR: the user must visit an attacker-controlled page.S: the vulnerable transport exposes tools that operate on resources
outside the HTTP transport itself.C/I/A: exposed tools may read, mutate, or disrupt local/internal
resources depending on the configured MCP server.
Impact
If a PraisonAI user starts a local or internal legacy SSE MCP server with
registered tools, an attacker who gets that user to visit a malicious website
can use DNS rebinding to interact with the SSE server through the browser. The
attacker can discover exposed tools and invoke them as the local user.
Impact depends on the configured tools. In realistic PraisonAI MCP deployments,
registered tools may access local files, repositories, issue trackers, cloud
APIs, internal services, or other automation targets. This can lead to
confidentiality, integrity, and availability impact for the resources reachable
by the exposed tools.
The PoV is local-only and harmless. It exposes one marker tool that writes a
canary string to a temporary directory.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
GHSA-VMF9-XX9W-86WX has a CVSS score of 8.3 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.59, 4.6.59); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Bring legacy SSE server security in line with the current Streamable HTTP
transport, or disable the legacy SSE server path.
Recommended changes:
- Add explicit allowed-origin and allowed-host validation to both
/sseand/messages/. - Reject invalid
Originwith HTTP 403 before opening the SSE stream or
accepting POST messages. - Validate
Hostfor local and internal deployments to mitigate DNS rebinding
even when browsers omit or varyOrigin. - Require authentication for all non-stdio MCP HTTP transports, including SSE.
- Add
--api-key,--allowed-origins, and--allowed-hostsoptions topraisonai mcp runandpraisonai serve mcpwhen--transport sseis used. - Where the installed MCP SDK supports it, configure the SDK transport-security
settings for low-levelSseServerTransportusage instead of mounting it
without Host/Origin protection. - Consider deprecating or disabling
--transport sseserver mode in favor of
the current Streamable HTTP implementation. - Add regression tests proving that attacker
HostandOriginvalues are
rejected on both/sseand/messages/, and that current Streamable HTTP and
legacy SSE enforce the same boundary.
Frequently Asked Questions
- What is GHSA-VMF9-XX9W-86WX? GHSA-VMF9-XX9W-86WX is a high-severity missing authentication for critical function vulnerability in praisonaiagents (pip), affecting versions >= 0.6.0, <= 1.6.58. It is fixed in 1.6.59, 4.6.59. A critical operation is accessible without requiring any authentication.
- How severe is GHSA-VMF9-XX9W-86WX? GHSA-VMF9-XX9W-86WX has a CVSS score of 8.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by GHSA-VMF9-XX9W-86WX?
praisonaiagents(pip) (versions >= 0.6.0, <= 1.6.58)praisonai(pip) (versions >= 3.10.0, <= 4.6.58)
- Is there a fix for GHSA-VMF9-XX9W-86WX? Yes. GHSA-VMF9-XX9W-86WX is fixed in 1.6.59, 4.6.59. Upgrade to this version or later.
- Is GHSA-VMF9-XX9W-86WX exploitable, and should I be worried? Whether GHSA-VMF9-XX9W-86WX is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-VMF9-XX9W-86WX is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-VMF9-XX9W-86WX?
- Upgrade
praisonaiagentsto 1.6.59 or later - Upgrade
praisonaito 4.6.59 or later
- Upgrade