Skip to content

feat: add quiet option to suppress DNS rebinding warning#1751

Closed
LikiosSedo wants to merge 2 commits intomodelcontextprotocol:mainfrom
LikiosSedo:fix/suppress-dns-rebinding-warning
Closed

feat: add quiet option to suppress DNS rebinding warning#1751
LikiosSedo wants to merge 2 commits intomodelcontextprotocol:mainfrom
LikiosSedo:fix/suppress-dns-rebinding-warning

Conversation

@LikiosSedo
Copy link
Copy Markdown

@LikiosSedo LikiosSedo commented Mar 25, 2026

Summary

  • Add quiet option to createMcpExpressApp and createMcpHonoApp
  • When true, suppresses the console.warn about missing DNS rebinding protection when binding to 0.0.0.0 or ::
  • Useful for servers behind a reverse proxy or in containerized environments where the warning is not meaningful

Test plan

  • Added tests for both express and hono middleware confirming no warning when quiet: true
  • All existing tests continue to pass (warning still fires by default)

Closes #1515

@LikiosSedo
feat: add quiet option to suppress DNS rebinding warning
4feacb5 
When binding to 0.0.0.0 or :: without allowedHosts, the server logs a
warning about missing DNS rebinding protection. This is noisy for users
who intentionally bind to all interfaces (e.g. behind a reverse proxy
in a container). The new quiet option lets them opt out.

Closes modelcontextprotocol#1515
@LikiosSedo LikiosSedo requested a review from a team as a code owner March 25, 2026 14:21
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 25, 2026
edited
Loading

🦋 Changeset detected

Latest commit: fcc39c8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@modelcontextprotocol/express Patch
@modelcontextprotocol/hono Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 25, 2026
edited
Loading

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1751

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1751

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1751

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1751

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1751

commit: fcc39c8

@felixweinberger
Copy link
Copy Markdown
Contributor

felixweinberger commented Mar 27, 2026

Thanks for the PR! Per the discussion on #1515, setting allowedHosts already silences this warning while keeping DNS rebinding protection, so we're going to hold off on adding a separate suppression option. See #1515 for the userland fix.

The warning is part of the CVE-2025-66414 mitigation, so we'd want to understand a case allowedHosts can't handle before adding a bypass. Happy to revisit if one surfaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Log pollution by unrequested warning output

2 participants

@LikiosSedo @felixweinberger