🐛 Default MCP listen addresses to localhost instead of 0.0.0.0#8686
Open
moktamd wants to merge 1 commit intopenpot:developfrom
Open
🐛 Default MCP listen addresses to localhost instead of 0.0.0.0#8686moktamd wants to merge 1 commit intopenpot:developfrom
moktamd wants to merge 1 commit intopenpot:developfrom
Conversation
The MCP server read PENPOT_MCP_SERVER_HOST (undocumented) and defaulted to 0.0.0.0, exposing the server on all interfaces. The documented env var is PENPOT_MCP_SERVER_LISTEN_ADDRESS and the expected default is localhost. The plugin preview server also hardcoded 0.0.0.0. Signed-off-by: moktamd <moktamd@users.noreply.github.com>
moktamd
force-pushed
the
fix/mcp-listen-address-defaults
branch
from
5dece8d to
cab79f1
Compare
moktamd
changed the title
Contributor
|
This change affects on how mcp server is running on the devenv so we need to look closer to properly make this change. I will look it Monday. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #8683
The MCP server and plugin preview server were binding to
0.0.0.0by default, exposing all network interfaces even in local-only mode. This contradicts the documented defaults and the security model described in the README.Changes:
PenpotMcpServer.ts: ReadPENPOT_MCP_SERVER_LISTEN_ADDRESS(matching the documented env var name) instead of the undocumentedPENPOT_MCP_SERVER_HOST, and default tolocalhostvite.config.ts: Use thePENPOT_MCP_PLUGIN_SERVER_LISTEN_ADDRESSenv var withlocalhostfallback instead of hardcoded0.0.0.0