Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. #1205
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…Http.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection.
commit: |
pcarleton
approved these changes
Dec 2, 2025
jacopoc
deleted the
improve-header-validation-for-dns-rebinding-protection
branch
MightyPrytanis
added a commit
to MightyPrytanis/codebase
that referenced
this pull request
Jan 3, 2026
 <h3>Snyk has created this PR to upgrade @modelcontextprotocol/sdk from 1.24.0 to 1.24.3.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **3 versions** ahead of your current version. - The recommended version was released **a month ago**. <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>@modelcontextprotocol/sdk</b></summary> <ul> <li> <b>1.24.3</b> - <a href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.24.3">2025-12-04</a></br><h2>What's Changed</h2> <ul> <li>chore: fix dev dependency security vulnerabilities by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3691198208" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1227" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1227/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1227">#1227</a></li> <li>chore(deps): bump express from 5.0.1 to 5.2.1 in the npm_and_yarn group across 1 directory by <a class="user-mention notranslate" data-hovercard-type="organization" data-hovercard-url="/orgs/dependabot/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/dependabot">@ dependabot</a>[bot] in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3691221872" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1228" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1228/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1228">#1228</a></li> <li>fix: release HTTP connections after POST responses by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mattzcarey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mattzcarey">@ mattzcarey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3685626979" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1214" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1214/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1214">#1214</a></li> <li>fix: skip priming events and closeSSEStream for old protocol versions by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3694335007" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1233" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1233/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1233">#1233</a></li> <li>chore: bump version for patch release by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3694887719" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1235" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1235/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1235">#1235</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/compare/1.24.2...1.24.3"><tt>1.24.2...1.24.3</tt></a></p> </li> <li> <b>1.24.2</b> - <a href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.24.2">2025-12-03</a></br><h2>What's Changed</h2> <ul> <li>feat: add optional resource annotations by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/vhorvath2010/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/vhorvath2010">@ vhorvath2010</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3436712736" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#954" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/954/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/954">#954</a></li> <li>chore: refresh CLAUDE.md by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/LucaButBoring/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/LucaButBoring">@ LucaButBoring</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3686867636" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1217" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1217/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1217">#1217</a></li> <li>refactor: make Server class framework-agnostic by moving express to separate module by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/cytle/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/cytle">@ cytle</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3689485567" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1223" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1223/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1223">#1223</a></li> <li>chore: bump version to 1.24.2 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/pcarleton/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/pcarleton">@ pcarleton</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3689937597" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1224" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1224/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1224">#1224</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/vhorvath2010/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/vhorvath2010">@ vhorvath2010</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3436712736" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#954" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/954/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/954">#954</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/cytle/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/cytle">@ cytle</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3689485567" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1223" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1223/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1223">#1223</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/compare/1.24.1...1.24.2"><tt>1.24.1...1.24.2</tt></a></p> </li> <li> <b>1.24.1</b> - <a href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.24.1">2025-12-02</a></br><h2>What's Changed</h2> <ul> <li>fix(streamableHttp): fix infinite retries when maxRetries is set to 0 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mrorigo/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mrorigo">@ mrorigo</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3686035318" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1216" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1216/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1216">#1216</a></li> <li>chore: update protocol version to 2025-11-25 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/dsp-ant/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/dsp-ant">@ dsp-ant</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3687018759" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1218" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1218/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1218">#1218</a></li> <li>chore: bump version for release by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3687067916" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1219" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1219/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1219">#1219</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mrorigo/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mrorigo">@ mrorigo</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3686035318" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1216" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1216/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1216">#1216</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/compare/1.24.0...1.24.1"><tt>1.24.0...1.24.1</tt></a></p> </li> <li> <b>1.24.0</b> - <a href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.24.0">2025-12-02</a></br><h2>Summary</h2> <p>This release brings us up to speed with the latest MCP spec <code>2025-11-25</code>. Take a look at the <a href="https://modelcontextprotocol.io/specification/2025-11-25" rel="nofollow">latest spec</a> as well as the release <a href="https://blog.modelcontextprotocol.io/posts/2025-11-25-first-mcp-anniversary/" rel="nofollow">blog post.</a></p> <h2>What's Changed</h2> <ul> <li>fix: update spec links from latest to draft by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/domdomegg/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/domdomegg">@ domdomegg</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3664829218" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1171" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1171/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1171">#1171</a></li> <li>Make sure to consume HTTP error response bodies by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/GreenStage/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/GreenStage">@ GreenStage</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3666874622" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1173" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1173/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1173">#1173</a></li> <li>docs: add GET request handling for streamableHttp stateless mode by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/saharis9988/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/saharis9988">@ saharis9988</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3660259155" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1161" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1161/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1161">#1161</a></li> <li>SEP-1686: Tasks by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/LucaButBoring/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/LucaButBoring">@ LucaButBoring</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3546900542" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1041" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1041/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1041">#1041</a></li> <li>Fix JSON parse error on SSE events with empty data by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3672860656" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1184" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1184/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1184">#1184</a></li> <li>Fix StreamableHTTPClientTransport instantiation by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/yuwzho/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/yuwzho">@ yuwzho</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3420595607" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#944" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/944/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/944">#944</a></li> <li>feat: eslint rule to prefer node protocols by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mattzcarey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mattzcarey">@ mattzcarey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3674518488" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1187" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1187/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1187">#1187</a></li> <li>fix: call tasks/result to deliver side-channel messages by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3672896336" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1185" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1185/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1185">#1185</a></li> <li>Add invalid_target oauth error (rfc 8707) by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/GreenStage/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/GreenStage">@ GreenStage</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3672704149" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1183" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1183/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1183">#1183</a></li> <li>fix(client): use StreamableHTTPError instead of plain Error in send() by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/yamadashy/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/yamadashy">@ yamadashy</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3669612690" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1178" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1178/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1178">#1178</a></li> <li>coerce 'expires_in' to be a number by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/adam-kuhn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/adam-kuhn">@ adam-kuhn</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3624481815" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1111" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1111/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1111">#1111</a></li> <li>Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jerome3o-anthropic/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/jerome3o-anthropic">@ jerome3o-anthropic</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3675262314" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1189" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1189/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1189">#1189</a></li> <li>fix: update registerTool signature for proper typed ToolCallback by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mattzcarey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mattzcarey">@ mattzcarey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3674832778" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1188" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1188/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1188">#1188</a></li> <li>SEP-1046: Client credentials flow for M2M without user interaction by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/KKonstantinov/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/KKonstantinov">@ KKonstantinov</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3655110317" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1157" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1157/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1157">#1157</a></li> <li>adds the transitive @ types/express-serve-static-core dependency as a direct devDependency by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mgyarmathy/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mgyarmathy">@ mgyarmathy</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3584050696" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1078" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1078/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1078">#1078</a></li> <li>Fix optional argument handling in prompts for Zod V4 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/filip-bartuska-ipf/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/filip-bartuska-ipf">@ filip-bartuska-ipf</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3680574535" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1199" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1199/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1199">#1199</a></li> <li>fix hanging stdio servers by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mattzcarey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mattzcarey">@ mattzcarey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3680985762" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1200" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1200/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1200">#1200</a></li> <li>README refactor by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/KKonstantinov/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/KKonstantinov">@ KKonstantinov</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3679336733" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1197" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1197/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1197">#1197</a></li> <li>[Docs] Fix typo by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koic/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/koic">@ koic</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3576912671" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1067" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1067/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1067">#1067</a></li> <li>feat: add closeSSEStream callback to RequestHandlerExtra by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3663783141" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1166" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1166/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1166">#1166</a></li> <li>fix: improve SSE reconnection behavior by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3675644114" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1191" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1191/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1191">#1191</a></li> <li>fix: normalize headers in sse transport by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/marcrasi/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/marcrasi">@ marcrasi</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3301818827" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#856" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/856/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/856">#856</a></li> <li>feat: add closeStandaloneSSEStream for GET stream polling by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3681592788" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1203" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1203/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1203">#1203</a></li> <li>fix: normalize null to undefined in ElicitResultSchema content field by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mattzcarey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mattzcarey">@ mattzcarey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3681871133" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1204" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1204/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1204">#1204</a></li> <li>Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jacopoc/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/jacopoc">@ jacopoc</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3682254908" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1205" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1205/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1205">#1205</a></li> <li>fix: allow zod 4 transformations by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mattzcarey/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mattzcarey">@ mattzcarey</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3685521543" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1213" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1213/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1213">#1213</a></li> <li>feat: backwards-compatible createMessage overloads for SEP-1577 by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3685389937" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1212" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1212/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1212">#1212</a></li> <li>chore: bump version for release by <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/felixweinberger/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/felixweinberger">@ felixweinberger</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3685838812" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1215" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1215/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1215">#1215</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/GreenStage/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/GreenStage">@ GreenStage</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3666874622" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1173" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1173/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1173">#1173</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/saharis9988/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/saharis9988">@ saharis9988</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3660259155" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1161" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1161/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1161">#1161</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/yuwzho/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/yuwzho">@ yuwzho</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3420595607" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#944" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/944/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/944">#944</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/yamadashy/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/yamadashy">@ yamadashy</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3669612690" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1178" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1178/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1178">#1178</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/adam-kuhn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/adam-kuhn">@ adam-kuhn</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3624481815" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1111" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1111/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1111">#1111</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mgyarmathy/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mgyarmathy">@ mgyarmathy</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3584050696" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1078" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1078/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1078">#1078</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/filip-bartuska-ipf/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/filip-bartuska-ipf">@ filip-bartuska-ipf</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3680574535" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1199" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1199/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1199">#1199</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/koic/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/koic">@ koic</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3576912671" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1067" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1067/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1067">#1067</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/marcrasi/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/marcrasi">@ marcrasi</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3301818827" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#856" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/856/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/856">#856</a></li> <li><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/jacopoc/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/jacopoc">@ jacopoc</a> made their first contribution in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3682254908" data-permission-text="Title is private" data-url="modelcontextprotocol/typescript-sdk#1205" data-hovercard-type="pull_request" data-hovercard-url="/modelcontextprotocol/typescript-sdk/pull/1205/hovercard" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/pull/1205">#1205</a></li> </ul> <p><strong>Full Changelog</strong>: <a class="commit-link" href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/compare/1.23.0...1.24.0"><tt>1.23.0...1.24.0</tt></a></p> </li> </ul> from <a href="https://redirect.github.com/modelcontextprotocol/typescript-sdk/releases">@modelcontextprotocol/sdk GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJhMDljYzIxZS1mZjNiLTQzOTEtOGZlZi04NmE4ODU2MDA2YTgiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImEwOWNjMjFlLWZmM2ItNDM5MS04ZmVmLTg2YTg4NTYwMDZhOCJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/mightyprytanis/project/eba72b74-6882-414c-8d80-bbb34df62e40?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/mightyprytanis/project/eba72b74-6882-414c-8d80-bbb34df62e40/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/mightyprytanis/project/eba72b74-6882-414c-8d80-bbb34df62e40/settings/integration?pkg=@modelcontextprotocol/sdk&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"breakingChangeRiskLevel":null,"FF_showPullRequestBreakingChanges":false,"FF_showPullRequestBreakingChangesWebSearch":false,"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"@modelcontextprotocol/sdk","from":"1.24.0","to":"1.24.3"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"a09cc21e-ff3b-4391-8fef-86a8856006a8","prPublicId":"a09cc21e-ff3b-4391-8fef-86a8856006a8","packageManager":"npm","priorityScoreList":[],"projectPublicId":"eba72b74-6882-414c-8d80-bbb34df62e40","projectUrl":"https://app.snyk.io/org/mightyprytanis/project/eba72b74-6882-414c-8d80-bbb34df62e40?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":[],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":3,"publishedDate":"2025-12-04T14:35:52.609Z"},"vulns":[]}'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
In the context of DNS rebinding protection, the condition to validate the Origin header has been modified in validateRequestHeaders (in both streamableHttp.ts and sse.ts) in order to prevent the rejection of requests that do not include an Origin header, such as those not originating from browsers, since they are not related to DNS rebinding attacks against the server.
Moreover, before this change, the Origin validation condition in validateRequestHeaders, i.e.
was not compliant with the latest version (2025-11-25) of the MCP specification (Transports - 2.0.1 Security Warning) that states:
Instead, the updated Origin validation condition
closely implements the specification.
How Has This Been Tested?
Along with the modified condition, this pull request introduces two new tests to verify the acceptance of requests without an Origin header when DNS Rebinding protection is enabled.
Breaking Changes
No breaking changes have been introduced.
Types of changes
Checklist
Additional context