← Back to changelog

⚙️ Config v1.3.10

v1.3.10

  • Changed allowedAddresses entries to require an explicit port

    • Applies to actions.allowedAddresses, mcpSettings.allowedAddresses, and endpoints.allowedAddresses
    • Entries must use host:port, private.ip:port, or [ipv6]:port
    • Bare hosts and IPs such as localhost, 127.0.0.1, and host.docker.internal are rejected
    • This scopes each SSRF exemption to one intended private service instead of every port on the same host

  • Preserved private-IP scoping for allowedAddresses

    • URLs, paths, CIDR ranges, whitespace, invalid ports, and public IP literals remain invalid
    • Hostname entries still trust whatever private IP that hostname resolves to on the listed port

  • Clarified how allowedAddresses interacts with allowedDomains

    • allowedAddresses is used when allowedDomains is not configured
    • When allowedDomains is configured, it acts as the authoritative strict whitelist