CVE-2025-64443
📋 TL;DR
MCP Gateway versions 0.27.0 and earlier are vulnerable to DNS rebinding attacks when running in SSE or streaming transport mode. This allows attackers to exploit victims' browsers to manipulate MCP servers behind the gateway, potentially accessing tools and features exposed by those servers. Only deployments using network transport modes (not the default stdio mode) are affected.
💻 Affected Systems
- MCP Gateway
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of MCP servers behind the gateway, allowing attackers to execute arbitrary commands, access sensitive data, or manipulate business logic through exposed MCP server tools.
Likely Case
Unauthorized access to MCP server functionality, potentially leading to data exposure, privilege escalation, or disruption of services that rely on MCP server outputs.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to MCP Gateway network endpoints.
🎯 Exploit Status
DNS rebinding attacks are well-known techniques that can be automated. Exploitation requires convincing victims to visit malicious websites or view malicious ads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.28.0
Vendor Advisory: https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r
Restart Required: Yes
Instructions:
1. Update MCP Gateway to version 0.28.0 or later. 2. Restart the MCP Gateway service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Switch to stdio mode
allUse the default stdio transport mode instead of SSE or streaming modes to avoid network exposure.
Configure MCP Gateway to use stdio transport mode in your deployment configuration
Network isolation
allRestrict network access to MCP Gateway endpoints to trusted IP ranges only.
Use firewall rules to block external access to MCP Gateway ports
Implement network segmentation to isolate MCP Gateway from untrusted networks
🧯 If You Can't Patch
- Switch MCP Gateway to stdio transport mode (default) which doesn't listen on network ports
- Implement strict network access controls and firewall rules to prevent external access to MCP Gateway endpoints
🔍 How to Verify
Check if Vulnerable:
Check if MCP Gateway version is 0.27.0 or earlier AND is configured to use SSE or streaming transport modes.Check Version:
Check the MCP Gateway version in your deployment configuration or run: mcp-gateway --versionVerify Fix Applied:
Verify MCP Gateway version is 0.28.0 or later, or confirm it's running in stdio mode.📡 Detection & Monitoring
Log Indicators:
- Unexpected DNS resolution patterns
- Unauthorized access attempts to MCP Gateway endpoints
- Suspicious MCP server tool invocations
Network Indicators:
- DNS queries for unusual domains from MCP Gateway hosts
- Unexpected HTTP/SSE connections to MCP Gateway ports
- Cross-origin requests to MCP Gateway endpoints
SIEM Query:
source="mcp-gateway" AND (transport_mode="sse" OR transport_mode="streaming") AND version<="0.27.0"