CVE-2025-66416
DNS Rebinding vulnerability in mcp (PyPI)
What is CVE-2025-66416 About?
The Model Context Protocol (MCP) Python SDK lacks default DNS rebinding protection for HTTP-based servers. If a local, unauthenticated server using `FastMCP` is misconfigured, a malicious website can exploit DNS rebinding to bypass same-origin policy, allowing an attacker to interact with the local MCP server. This attack requires specific server configurations and user interaction, making it moderately complex to execute.
Affected Software
Technical Details
The Model Context Protocol (MCP) Python SDK, when utilizing FastMCP with streamable HTTP or SSE transport, does not enable DNS rebinding protection by default. If an MCP server is running on 'localhost' without authentication and has not configured TransportSecuritySettings, a malicious website can perform a DNS rebinding attack. The attacker's website, initially resolving to their IP, can later resolve to the 'localhost' IP (127.0.0.1) during subsequent requests. This technique allows the malicious website to bypass the browser's same-origin policy, enabling it to send requests and potentially invoke tools or access resources exposed by the local MCP server on behalf of the user.
What is the Impact of CVE-2025-66416?
Successful exploitation may allow attackers to bypass security restrictions, facilitate unauthorized access to local resources, and potentially execute arbitrary commands or access sensitive information via the local server.
What is the Exploitability of CVE-2025-66416?
Exploiting this vulnerability necessitates a specific set of circumstances. The target MCP server must be an HTTP-based service, run locally (e.g., on 'localhost'), and operate without authentication. Crucially, the server must also lack explicit TransportSecuritySettings or be older than version 1.23.0 which introduced default protection for 'localhost' bindings. An attacker would need to lure a victim to a specially crafted malicious website that subsequently uses DNS rebinding to direct requests to the victim's local MCP server. This is a client-side attack, and its complexity is moderate due to the prerequisites on both the server configuration and the need for user interaction with a malicious third-party site.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66416?
About the Fix from Resolved Security
This patch ensures DNS rebinding protection is automatically enabled when the server binds to localhost addresses, setting strict host and origin checks. This prevents exploitation of CVE-2025-66416, which arises when attackers access private interfaces via DNS rebinding, by ensuring only expected local hosts/origins can connect, thereby blocking malicious traffic.
Available Upgrade Options
- mcp
- <1.23.0 → Upgrade to 1.23.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f
- https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f
- https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99
- https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99
- https://nvd.nist.gov/vuln/detail/CVE-2025-66416
- https://osv.dev/vulnerability/GHSA-9h52-p55h-vw2f
- https://github.com/modelcontextprotocol/python-sdk
What are Similar Vulnerabilities to CVE-2025-66416?
Similar Vulnerabilities: CVE-2021-39659 , CVE-2020-13768 , CVE-2018-12536 , CVE-2017-1002008 , CVE-2023-45802
