Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port
Vulnerability Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0.
CVSS Information
N/A
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Nhost 安全漏洞
Vulnerability Description
Nhost是Nhost开源的一个后端即服务平台。 Nhost 1.41.0之前版本存在安全漏洞,该漏洞源于Nhost CLI MCP服务器在显式配置为监听网络端口时,未应用入站身份验证且未强制执行严格的CORS,可能导致同一机器上访问的恶意网站向MCP服务器发出跨域请求并使用开发人员本地配置的凭据调用特权工具。
CVSS Information
N/A
Vulnerability Type
N/A