Skip to content

fix: Bind to localhost by default + redact API secrets from tool results#1

Open
taylorodell wants to merge 1 commit into
cloudinary:mainfrom
taylorodell:fix/security-transport-and-secret-redaction
Open

fix: Bind to localhost by default + redact API secrets from tool results#1
taylorodell wants to merge 1 commit into
cloudinary:mainfrom
taylorodell:fix/security-transport-and-secret-redaction

Conversation

@taylorodell

Copy link
Copy Markdown

Summary

This PR addresses two security vulnerabilities in the MCP server's HTTP transports:

1. DNS Rebinding / Network Exposure (Critical for provisioning-tier credentials)

The serve and start --transport sse commands previously bound to 0.0.0.0 with Access-Control-Allow-Origin: *, making the server accessible to any device on the network and any web origin. Since this server handles organization-level provisioning credentials (capable of creating/deleting sub-accounts, users, roles, and access keys), this exposure is critical.

Changes:

  • Default bind address changed from 0.0.0.0 to 127.0.0.1 (localhost-only)
  • Added --host flag to explicitly opt into network exposure when needed (e.g., Docker)
  • Replaced wildcard Access-Control-Allow-Origin: * with opt-in --allowed-origins flag
  • Added warning log when --host 0.0.0.0 is used

This is the same vulnerability class as cloudinary/analysis-mcp#1.

2. API Secret Exposure to LLM Context

The access-keys-list and access-keys-generate tools return Cloudinary API responses verbatim, including api_secret fields in plaintext. These secrets are then passed into the LLM context window where they may be:

  • Logged by LLM providers for training/debugging
  • Exfiltrated via prompt injection from another tool's output
  • Persisted in conversation history

Changes:

  • Added redactSecrets() post-processing in formatResult() that strips any JSON field matching /^(api_secret|secret|.*_secret)$/i before returning to the LLM
  • Replaced with a clear message directing users to the Cloudinary dashboard

Additional

  • Added SECURITY.md documenting the threat model and security recommendations

Migration / Breaking Changes

  • Docker users who previously relied on the implicit 0.0.0.0 binding must now pass --host 0.0.0.0 explicitly (or keep the -p port mapping which handles this via Docker networking)
  • Cross-origin browser clients must now specify origins via --allowed-origins
  • LLM integrations that previously read api_secret from tool results will now see [REDACTED] — use the Cloudinary Console to retrieve secrets directly

…ntext

- Default bind to 127.0.0.1 instead of 0.0.0.0 (serve + start --transport sse)
- Add --host flag to override binding when network access is needed
- Replace wildcard Access-Control-Allow-Origin: * with opt-in --allowed-origins
- Redact api_secret fields from tool results before they enter LLM context
- Add SECURITY.md documenting the threat model and mitigations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant