Summary
When the ADK web server is bound to loopback, such as the default 127.0.0.1, it should not accept requests with non-loopback Host header values.
The current origin check derives the request origin from the incoming Host header and then compares it with the Origin header. A DNS-rebound request can therefore use a non-loopback hostname in both headers, for example Host: rebind.attacker.example:8000 and Origin: http://rebind.attacker.example:8000, causing the request to be treated as same-origin even though the hostname is not a loopback host.
Impact
If an external page can reach a victim's running local ADK server through DNS rebinding, it may be able to send requests to local ADK APIs as if it were the local server origin. Depending on enabled routes and local agent configuration, this can allow the page to create or modify local eval inputs, trigger local agent runs, or read local API responses.
Expected behavior
When ADK is bound to a loopback host, the server should only accept loopback Host header values such as localhost, 127.0.0.1, and ::1. Non-loopback hostnames should be rejected before the origin comparison.
Validation
I have a PR prepared that:
- rejects non-loopback
Host headers when the server is bound to loopback
- keeps the existing origin checks for allowed/cross-origin behavior
- adds a regression test for the DNS-rebound
Host/Origin shape
- reproduces the unsafe behavior on clean
origin/main: the rebound request returns 200 true
- verifies the patch returns
403 Forbidden: host not allowed
- passes
tests/unittests/cli/test_fast_api.py in Linux Docker: 63 passed
Summary
When the ADK web server is bound to loopback, such as the default
127.0.0.1, it should not accept requests with non-loopbackHostheader values.The current origin check derives the request origin from the incoming
Hostheader and then compares it with theOriginheader. A DNS-rebound request can therefore use a non-loopback hostname in both headers, for exampleHost: rebind.attacker.example:8000andOrigin: http://rebind.attacker.example:8000, causing the request to be treated as same-origin even though the hostname is not a loopback host.Impact
If an external page can reach a victim's running local ADK server through DNS rebinding, it may be able to send requests to local ADK APIs as if it were the local server origin. Depending on enabled routes and local agent configuration, this can allow the page to create or modify local eval inputs, trigger local agent runs, or read local API responses.
Expected behavior
When ADK is bound to a loopback host, the server should only accept loopback
Hostheader values such aslocalhost,127.0.0.1, and::1. Non-loopback hostnames should be rejected before the origin comparison.Validation
I have a PR prepared that:
Hostheaders when the server is bound to loopbackHost/Originshapeorigin/main: the rebound request returns200 true403 Forbidden: host not allowedtests/unittests/cli/test_fast_api.pyin Linux Docker:63 passed