Security: Overly permissive CORS allows cross-origin credential theft

[CrepuscularIRIS]

Bug Description

The MCP HTTP server configures CORS with allow_origins=["*"] combined with allow_credentials=True. When FastAPI/Starlette sees this combination, it reflects the requesting Origin back as Access-Control-Allow-Origin (since * is invalid with credentials per the CORS spec). This means any website can make authenticated cross-origin requests to the SimpleMem API, enabling credential theft and data exfiltration.

Location

MCP/server/http_server.py:278-284

Reproduction

<!-- Attacker's website at evil.example.com -->
<script>
// This fetch will include the victim's cookies/auth headers
fetch("http://target-simplemem-server:8000/api/server/info", {
  credentials: "include"
}).then(r => r.json()).then(data => {
  // Attacker can see active_sessions, total_users, etc.
  console.log(data);
});
</script>

Any page the victim visits can silently read from and write to the SimpleMem API if the victim has an active session.

Impact

• Cross-origin data exfiltration (read all memories)
• Cross-origin memory injection (add malicious memories)
• Session information leakage

Suggested Fix

# Replace wildcard with explicit allowed origins
app.add_middleware(
    CORSMiddleware,
    allow_origins=[
        os.getenv("CORS_ALLOWED_ORIGINS", "http://localhost:3000").split(",")
    ],
    allow_credentials=True,
    allow_methods=["GET", "POST", "DELETE"],
    allow_headers=["Authorization", "Content-Type", "Accept", "Mcp-Session-Id"],
)

If the MCP server is intended for local-only use, restrict origins to localhost. If public, require operators to configure CORS_ALLOWED_ORIGINS explicitly.

---

Found via automated codebase analysis. Happy to submit a PR if confirmed.