Skip to content

Commit 76db181

Browse files
committed
fix(security): bind A2A bus to 127.0.0.1 instead of 0.0.0.0
Bun.serve() without hostname defaults to all interfaces, exposing 18810/18811 to the entire network. Pin to localhost.
1 parent 6335733 commit 76db181

1 file changed

Lines changed: 1 addition & 0 deletions

File tree

a2a/bus.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ export function createA2ABus(config) {
4646

4747
server = Bun.serve({
4848
port,
49+
hostname: "127.0.0.1",
4950
fetch(req, env) {
5051
const url = new URL(req.url);
5152
if (req.method === "POST" && url.pathname === "/a2a/message") {

0 commit comments

Comments
 (0)