Uni-CLI Vulnerability: Legacy HTTP MCP Transport Accepts Browser-Originated Localhost Requests

Executive Summary

A high-severity vulnerability was discovered in Uni-CLI versions before 0.225.2, allowing a malicious web page to interact with the local Uni-CLI server via the legacy HTTP MCP transport. This issue has been patched in version 0.225.2.

Technical Analysis

The vulnerability is caused by a lack of validation for browser Origin headers in the legacy JSON-RPC-over-HTTP MCP transport on loopback. This allows an attacker to send a CORS simple POST request to the local /mcp endpoint and deliver a JSON-RPC body to the dispatcher. The vulnerability is classified as an Origin Validation Error (CWE-346) and Cross-Site Request Forgery (CSRF) (CWE-352).

How It Gets Exploited

An attacker can exploit this vulnerability by creating a malicious web page that sends a CORS simple POST request to the local /mcp endpoint of a user's Uni-CLI server. The request can be sent using the text/plain content type, and the JSON-RPC body can be delivered to the dispatcher. If the user has started the local MCP HTTP transport, the attacker's page can drive tools/call requests against the user's local Uni-CLI server. The attacker's starting position is a malicious web page that can send requests to the user's local Uni-CLI server. The specific action that triggers the vulnerability is sending a crafted POST request to the /mcp endpoint. When the flaw is triggered, the dispatcher processes the JSON-RPC body, potentially allowing the attacker to interact with the Uni-CLI server.

Impact Assessment

The vulnerability affects Uni-CLI versions before 0.225.2. An attacker can achieve arbitrary interaction with the Uni-CLI server, potentially leading to unauthorized actions. The CVSS score for this vulnerability is 8.6, indicating high severity.

Recommended Actions

To mitigate this vulnerability, upgrade to Uni-CLI version 0.225.2 or later. If upgrading is not immediately possible, use the default stdio transport or the Streamable HTTP transport instead of the legacy HTTP MCP transport. Additionally, ensure that the legacy HTTP MCP transport is not exposed to browser-originated traffic.

Sources

- GitHub Security Advisories: GHSA-v3f4-w7r7-v3hm