js · @zenalexa/unicliCritical

@zenalexa/unicli: Missing Origin validation in legacy HTTP MCP transport (CVE)

Uni-CLI versions before 0.225.2 lacked Origin header validation on the legacy JSON-RPC-over-HTTP MCP transport, allowing malicious web pages to send CORS simple

20 Jun 2026Read 1 minSeverity: act now

What changed

Uni-CLI versions before 0.225.2 lacked Origin header validation on the legacy JSON-RPC-over-HTTP MCP transport, allowing malicious web pages to send CORS simple POST requests to the local /mcp endpoint and drive tools/call requests. Version 0.225.2 adds a shared Origin guard that rejects non-loopback browser Origins with HTTP 403 before routing.

Who it affects

Users running Uni-CLI versions before 0.225.2 with the legacy HTTP MCP transport enabled.

What to do today

Upgrade to Uni-CLI version 0.225.2 or later immediately. If upgrade is not possible, switch to stdio or Streamable HTTP transport and avoid exposing the legacy HTTP transport to browser-originated traffic.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · @zenalexa/unicli

@zenalexa/unicli: Missing Origin validation in legacy HTTP MCP transport (CVE)

What changed

Who it affects

What to do today

More on @zenalexa/unicli

@openzeppelin/wizard: Arbitrary code injection via info.securityContact and info.license fields

TypeORM Blind SQL Injection in UpdateQueryBuilder and SoftDeleteQueryBuilder (MySQL/MariaDB)