chore(deps): update rust crate rmcp to v1 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rmcp	workspace.dependencies	major	0.10.0 → 1.0.0

---

rmcp Streamable HTTP server transport has a DNS rebinding vulnerability

CVE-2026-42559 / GHSA-89vp-x53w-74fx

More information

Details

Summary

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface — violating the MCP specification's transport security guidance.

Impact

An attacker who convinces a victim to visit a malicious page can:

• Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.
• Read resources, prompts, and any state accessible via the MCP session.
• Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim's server exposes.

Because MCP servers frequently run with the user's privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim's machine.

Affected Versions

rmcp < 1.4.0 — all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.

Patched Versions

rmcp >= 1.4.0 (current: 1.5.1).

Patch

Fixed in PR #​764 (commit 8e22aa2), released as v1.4.0 on 2026-04-09:

• StreamableHttpServerConfig::allowed_hosts now defaults to a loopback-only allowlist: ["localhost", "127.0.0.1", "::1"].
• All incoming HTTP requests pass through validate_dns_rebinding_headers(), which parses the Host header and returns HTTP 403 if the host is not on the allowlist.
• Public deployments can configure an explicit allowlist via StreamableHttpService::with_allowed_hosts(...), or opt out (not recommended without an upstream reverse proxy that validates Host) via disable_allowed_hosts().

This fix validates the Host header only. Origin header validation is tracked as a defense-in-depth follow-up in #​822 and is not required to block the DNS rebinding attack described here — the browser cannot forge the Host header sent to the rebound server.

Workarounds for Unpatched Users

• Upgrade to rmcp >= 1.4.0.
• If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose Host header is not one of your expected hostnames.
• Do not bind the MCP server to 0.0.0.0 without such a proxy.

Resources

• PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764
• Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815
• Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822
• MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning

Related advisories (same class of vulnerability)

• TypeScript SDK: GHSA-w48q-cv73-mx4w
• Python SDK: GHSA-9h52-p55h-vw2f
• Go SDK: GHSA-xw59-hvm2-8pj6
• Java SDK: GHSA-8jxr-pr72-r468

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx
• https://github.com/modelcontextprotocol/rust-sdk/issues/815
• https://github.com/modelcontextprotocol/rust-sdk/pull/764
• https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning
• https://github.com/advisories/GHSA-89vp-x53w-74fx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

modelcontextprotocol/rust-sdk (rmcp)

v1.4.0

Compare Source

Added

• add Default and constructors to ServerSseMessage (#​794)
• add meta to elicitation results (#​792)
• (macros) auto-generate get_info and default router (#​785)
• (transport) add which_command for cross-platform executable resolution (#​774)
• (auth) add StoredCredentials::new() constructor (#​778)

Fixed

• (server) remove initialized notification gate to support Streamable HTTP (#​788)
• default session keep_alive to 5 minutes (#​780)
• (http) add host check (#​764)
• exclude local feature from docs.rs build (#​782)

Other

• update Rust toolchain to 1.92 (#​797)
• unify IntoCallToolResult Result impls (#​787)

v1.3.0

Compare Source

Added

• (transport) add Unix domain socket client for streamable HTTP (#​749)
• (auth) implement SEP-2207 OIDC-flavored refresh token guidance (#​676)
• add configuration for transparent session re-init (#​760)
• add local feature for !Send tool handler support (#​740)

Fixed

• prevent CallToolResult and GetTaskPayloadResult from shadowing CustomResult in untagged enums (#​771)
• drain in-flight responses on stdin EOF (#​759)
• remove default type param from StreamableHttpService (#​758)
• use cfg-gated Send+Sync supertraits to avoid semver break (#​757)
• (rmcp) surface JSON-RPC error bodies on HTTP 4xx responses (#​748)
• default CallToolResult content to empty vec on missing field (#​752)
• (auth) redact secrets in Debug output for StoredCredentials and StoredAuthorizationState (#​744)

Other

• fix all clippy warnings across workspace (#​746)

v1.2.0

Compare Source

Added

• add missing constructors for non-exhaustive model types (#​739)
• include granted scopes in OAuth refresh token request (#​731)

Fixed

• handle ping requests sent before initialize handshake (#​745)
• allow deserializing notifications without params field (#​729)

Other

• (deps) update jsonwebtoken requirement from 9 to 10 (#​737)

v1.1.1

Compare Source

Fixed

• accept logging/setLevel and ping before initialized notification (#​730)

v1.1.0

Compare Source

Added

• implement OAuth 2.0 Client Credentials flow (#​707)

Other

• add McpMux to Built with rmcp section (#​717)

v1.0.0

Compare Source

Fixed

• (auth) pass WWW-Authenticate scopes to DCR registration request (#​705)
• api ergonomics follow-up (#​720)
• (streamable-http) map stale session 401 to status-aware error (#​709)

v0.17.0

Compare Source

Added

• (streamable-http) add json_response option for stateless server mode (#​683)
• mcp sdk conformance (#​687)
• add default value support to string, number, and integer schemas (#​686)
• add trait-based tool declaration (#​677)
• send and validate MCP-Protocol-Version header (#​675)

Fixed

• improve error logging and remove token secret from logs (#​685)
• refresh token expiry (#​680)
• gate optional dependencies behind feature flags (#​672)
• allow empty content in CallToolResult (#​681)
• (schema) remove AddNullable from draft2020_12 settings (#​664)

Other

• add prose documentation for core features to meet conformance (#​702)
• Fix/sse channel replacement conflict (#​682)
• document session management for streamable HTTP transport (#​674)

v0.16.0

Compare Source

Added

• add support for custom HTTP headers in StreamableHttpClient (#​655)
• (auth) add token_endpoint_auth_method to OAuthClientConfig (#​648)

Fixed

• remove unnecessary doc-cfg (#​661)
• duplicate meta serialization (#​662)
• sort list_all() output in ToolRouter and PromptRouter for deterministic ordering (#​665)
• align task response types with MCP spec (#​658)

Other

• upgrade reqwest to 0.13.2 (#​669)
• include LICENSE in final crate tarball (#​657)
• (deps) update rand requirement from 0.9 to 0.10 (#​650)
• remove unused axum dependency from server-side-http feature (#​642)
• 11-25-2025 compliant Auth (#​651)
• add rudof-mcp to MCP servers list (#​645)

v0.15.0

Compare Source

Added

• (elicitation) add support URL elicitation. SEP-1036 (#​605)
• enforce SEP-1577 MUST requirements for sampling with tools (#​646)
• add native-tls as an optional TLS backend (#​631)
• (capabilities) add extensions field for SEP-1724 (#​643)

Fixed

• (tasks) avoid dropping completed task results during collection (#​639)
• (auth) oauth metadata discovery (#​641)
• compilation with --no-default-features (#​593)
• (tasks) expose execution.taskSupport on tools (#​635)
• (tasks) correct enum variant ordering for deserialization (#​634)

Other

• Add optional description field to Implementation struct (#​649)
• Implement SEP-1577: Sampling With Tools (#​628)

v0.14.0

Compare Source

Fixed

• (tasks) #​626 model task capabilities correctly (#​627)
• don't treat non-success HTTP codes as transport errors (#​618)

Other

• show README content on docs.rs (#​583)
• added hyper-mcp to the list of built with rmcp (#​621)
• Implement SEP-1319: Decouple Request Payload from RPC Methods (#​617)

v0.13.0

Compare Source

Added

• provide blanket implementations for ClientHandler and ServerHandler traits (#​609)
• (service) add close() method for graceful connection shutdown (#​588)
• (auth) add StateStore trait for pluggable OAuth state storage (#​614)
• (elicitation) implement SEP-1330 Elicitation Enum Schema Improvements (#​539)
• (task) add task support (SEP-1686) (#​536)

Fixed

• use the json rpc error from the initialize response and bubble it up to the client (#​569)
• (build) fix build of the project when no features are selected (#​606)
• use Semaphore instead of Notify in OneshotTransport to prevent race condition (#​611)
• add OpenID Connect discovery support per spec-2025-11-25 4.3 (#​598)
• only try to refresh access tokens if we have a refresh token or an expiry time (#​594)
• (docs) add spreadsheet-mcp to Built with rmcp (#​582)

Other

• (elicitation) improve enum schema builder, small changes of elicitation builder (#​608)
• add pre-commit hook for conventional commit verification (#​619)
• clean up optional dependencies (#​546)
• re-export ServerSseMessage from session module (#​612)
• Implement SEP-1699: Support SSE Polling via Server-Side Disconnect (#​604)
• update README external links (#​603)
• clarity and formatting (#​602)
• Add optional icons field to RawResourceTemplate (#​589)

v0.12.0

Compare Source

Added

• add support for custom requests (#​590)
• add support for custom server notifications (#​580)

Fixed

• update process-wrap to v9.0 (#​586)
• (oauth) rfc8414 should judement the response_types (#​485)

Other

• Add SEP-991 (CIMD) support for URL-based client IDs (#​570)
• merge cached_schema_for_type into schema_for_type (#​581)
• Add NexusCore MCP to project list (#​573)

v0.11.0

Compare Source

Added

• (meta) add _meta field to prompts, resources and paginated result (#​558)
• [breaking] remove SSE transport support (#​562)

Fixed

• (streamable-http) gracefully shutdown while client connected (#​494)

Other

• Implements outputSchema validation (#​566)
• add video-transcriber-mcp-rs to projects built with rmcp (#​565)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
    Updating crates.io index
error: failed to select a version for `rmcp`.
    ... required by package `forge_infra v0.1.0 (/tmp/renovate/repos/github/tailcallhq/forgecode/crates/forge_infra)`
    ... which satisfies path dependency `forge_infra` (locked to 0.1.0) of package `forge_api v0.1.0 (/tmp/renovate/repos/github/tailcallhq/forgecode/crates/forge_api)`
    ... which satisfies path dependency `forge_api` (locked to 0.1.0) of package `forge_main v0.1.0 (/tmp/renovate/repos/github/tailcallhq/forgecode/crates/forge_main)`
versions that meet the requirements `^1.0.0` are: 1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0

package `forge_infra` depends on `rmcp` with feature `transport-sse-client-reqwest` but `rmcp` does not have that feature.
 available features: __reqwest, auth, base64, client, client-side-sse, default, elicitation, macros, reqwest, reqwest-native-tls, reqwest-tls-no-provider, schemars, server, server-side-http, tower, transport-async-rw, transport-child-process, transport-io, transport-streamable-http-client, transport-streamable-http-client-reqwest, transport-streamable-http-server, transport-streamable-http-server-session, transport-worker, uuid


failed to select a version for `rmcp` which could resolve this conflict