Skip to content

fix: Bind OAuth callback server to localhost #11956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kangfenmao merged 1 commit into from
Dec 17, 2025
Merged

fix: Bind OAuth callback server to localhost #11956

kangfenmao merged 1 commit into from
Dec 17, 2025
+2 −2

Conversation

@Pleasurecruise
Copy link
Collaborator

@Pleasurecruise Pleasurecruise commented Dec 16, 2025

Updated the server to listen explicitly on 127.0.0.1 instead of all interfaces. The log message was also updated to reflect the new binding address.

Reference:
MCPJam/inspector#1095
nbonamy/witsy@a23d4e5

@Pleasurecruise
fix: Bind OAuth callback server to localhost
d0f5cf5 
Updated the server to listen explicitly on 127.0.0.1 instead of all interfaces. The log message was also updated to reflect the new binding address.
Copilot AI review requested due to automatic review settings December 16, 2025 21:21
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the security of the OAuth callback server by explicitly binding it to localhost (127.0.0.1) instead of all network interfaces. This is a security best practice for OAuth flows in desktop applications, preventing potential network-based attacks on the callback endpoint. The change aligns with the existing OAuth provider configuration which already constructs redirect URLs using http://127.0.0.1.

  • Binds the OAuth callback server to 127.0.0.1 instead of the default 0.0.0.0 (all interfaces)
  • Updates the log message to reflect the specific binding address for better observability

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kangfenmao kangfenmao merged commit 432b31c into main Dec 17, 2025
7 checks passed
@kangfenmao kangfenmao deleted the fix-rce branch December 17, 2025 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Pleasurecruise @kangfenmao