diff --git a/.changeset/patch-fix-allocation-overflow-mcp-domain-merging.md b/.changeset/patch-fix-allocation-overflow-mcp-domain-merging.md
new file mode 100644
index 0000000000..47a75286ce
--- /dev/null
+++ b/.changeset/patch-fix-allocation-overflow-mcp-domain-merging.md
@@ -0,0 +1,7 @@
+---
+"gh-aw": patch
+---
+
+Security Fix: Allocation Size Overflow in Domain List Merging (Alert #6)
+
+Fixed CWE-190 (Integer Overflow or Wraparound) vulnerability in the `EnsureLocalhostDomains` function. The function was vulnerable to allocation size overflow when computing capacity for the merged domain list. The fix eliminates the overflow risk by removing pre-allocation and relying on Go's append function to handle capacity growth automatically, preventing potential denial-of-service issues with extremely large domain configurations.
diff --git a/pkg/parser/mcp.go b/pkg/parser/mcp.go
index cc24f613df..f1531c1d56 100644
--- a/pkg/parser/mcp.go
+++ b/pkg/parser/mcp.go
@@ -32,7 +32,12 @@ func EnsureLocalhostDomains(domains []string) []string {
 		}
 	}
 
-	result := make([]string, 0, len(domains)+4)
+	// CWE-190: Allocation Size Overflow Prevention
+	// Instead of pre-calculating capacity (len(domains)+4), which could overflow
+	// if domains is extremely large, we let Go's append handle capacity growth
+	// automatically. This is safe and efficient for domain arrays which are
+	// typically small in practice.
+	var result []string
 
 	// Always add localhost domains first (with and without port specifications)
 	if !hasLocalhost {