Skip to content

fix: update rmcp to resolve CVE-2026-42559#10486

Open
acarl005 wants to merge 1 commit into
masterfrom
independabot/rmcp-CVE-2026-42559
Open

fix: update rmcp to resolve CVE-2026-42559#10486
acarl005 wants to merge 1 commit into
masterfrom
independabot/rmcp-CVE-2026-42559

Conversation

@acarl005
Copy link
Copy Markdown
Contributor

@acarl005 acarl005 commented May 8, 2026

Summary

Updates rmcp from 0.10.0 to 1.6.0 in the warpdotdev/rmcp fork to resolve CVE-2026-42559.

Vulnerability

  • CVE: CVE-2026-42559
  • Package: rmcp (MCP Rust SDK)
  • Severity: High (CVSS 8.8)
  • Summary: DNS rebinding vulnerability in Streamable HTTP server transport
  • Patched in: ≥ 1.4.0

Dependabot alerts resolved

Changes

  • Updated Cargo.toml workspace dependency for rmcp to point to the latest fork commit (321ab14f67da), which is at version 1.6.0 and includes the DNS rebinding fix (PR #764) plus additional Host/Origin validation (PR #823, PR #826).
  • Removed the transport-sse-client-reqwest feature from app/Cargo.toml — this feature was renamed upstream and is now included transitively via transport-streamable-http-client-reqwestclient-side-sse.
  • Updated Cargo.lock accordingly.

Verification

  • cargo check -p ai passes — the only crate directly using rmcp types (CallToolResult, ResourceContents, RawContent).
  • cargo audit confirms CVE-2026-42559 no longer appears.

Conversation: https://staging.warp.dev/conversation/92b8aa0f-1525-4813-9990-62db7afe9c12
Run: https://oz.staging.warp.dev/runs/019e0851-4c63-74f8-9d5a-ec00d08a7593

This PR was generated with Oz.

@acarl005 acarl005 requested a review from danielpeng2 May 8, 2026 16:10
@cla-bot cla-bot Bot added the cla-signed label May 8, 2026
@acarl005 acarl005 marked this pull request as ready for review May 8, 2026 20:05
@oz-for-oss
Copy link
Copy Markdown
Contributor

oz-for-oss Bot commented May 8, 2026
edited
Loading

@acarl005

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR updates the workspace rmcp dependency from 0.10.0 to 1.6.0, removes the obsolete SSE reqwest feature from the app dependency declaration, and refreshes the resulting lockfile entries.

Concerns

  • No blocking concerns found in the annotated diff. The dependency remains pinned to an explicit fork revision and the lockfile updates are consistent with the rmcp upgrade.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@acarl005 acarl005 force-pushed the independabot/rmcp-CVE-2026-42559 branch from 531b6d8 to 7464072 Compare May 11, 2026 16:23
@acarl005 @oz-agent
fix: update rmcp to resolve CVE-2026-42559
57d48a7 
Co-Authored-By: Oz <oz-agent@warp.dev>
@acarl005 acarl005 force-pushed the independabot/rmcp-CVE-2026-42559 branch from 7464072 to 57d48a7 Compare May 12, 2026 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments

@danielpeng2 danielpeng2 danielpeng2 approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@acarl005 @danielpeng2