Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user.
This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost.
Running HTTP-based MCP servers on localhost without authentication is not recommended per MCP security best practices.
Impact
An attacker-controlled website could potentially send crafted requests to a locally running Apollo MCP Server instance by exploiting DNS rebinding, bypassing browser same-origin policy protections. This could result in unauthorized invocation of MCP tools or access to resources exposed by the server, within the context of the local user's session.
Patches
Users are recommended to upgrade to Apollo MCP Server 1.7.0 or later. Host header validation is enabled by default for StreamableHTTP transport in version 1.7.0 and validates incoming requests against expected localhost values with port matching.
For deployments behind reverse proxies or with custom hostnames, additional allowed hosts can be configured:
transport:
type: streamable_http
host_validation:
enabled: true # default
allowed_hosts:
- mcp.example.comWorkarounds
If upgrading is not immediately possible, the following mitigations reduce exposure:
- Enable authentication on the MCP server transport layer.
- Restrict network binding so the server is not accessible from untrusted network interfaces.
- Use a reverse proxy that validates or rewrites the Host header before forwarding to the MCP server.
References
JLLeitschuh Finder
Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website—visited by a user running the server locally—to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user.
This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost.
Running HTTP-based MCP servers on localhost without authentication is not recommended per MCP security best practices.
Impact
An attacker-controlled website could potentially send crafted requests to a locally running Apollo MCP Server instance by exploiting DNS rebinding, bypassing browser same-origin policy protections. This could result in unauthorized invocation of MCP tools or access to resources exposed by the server, within the context of the local user's session.
Patches
Users are recommended to upgrade to Apollo MCP Server 1.7.0 or later. Host header validation is enabled by default for StreamableHTTP transport in version 1.7.0 and validates incoming requests against expected localhost values with port matching.
For deployments behind reverse proxies or with custom hostnames, additional allowed hosts can be configured:
Workarounds
If upgrading is not immediately possible, the following mitigations reduce exposure:
References