Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft
Vulnerability Description
mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=true) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories. This issue has been patched in version 10.25.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
过度许可的跨域白名单
Vulnerability Title
mcp-memory-service 安全漏洞
Vulnerability Description
mcp-memory-service是Henry个人开发者的一个为AI智能体提供持久化共享内存的后端服务。 mcp-memory-service 10.25.1之前版本存在安全漏洞,该漏洞源于CORS配置不当且允许匿名访问,可能导致任意网站读取、修改和删除所有存储的记忆数据。
CVSS Information
N/A
Vulnerability Type
N/A