CVE-2025-66416
📋 TL;DR
The MCP Python SDK prior to version 1.23.0 lacks DNS rebinding protection by default for HTTP-based servers. This allows malicious websites to bypass same-origin policy and send requests to local MCP servers, potentially invoking tools or accessing resources. Only affects users running HTTP-based MCP servers locally without authentication.
💻 Affected Systems
- MCP Python SDK (mcp on PyPI)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains unauthorized access to local resources and tools exposed by the MCP server, potentially leading to data theft, privilege escalation, or remote code execution.
Likely Case
Limited information disclosure or unauthorized tool invocation on local systems where vulnerable configurations are deployed.
If Mitigated
No impact if servers use stdio transport, authentication, or proper TransportSecuritySettings.
🎯 Exploit Status
Exploitation requires specific vulnerable configuration and user visiting malicious website while local server is running.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.23.0
Vendor Advisory: https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f
Restart Required: Yes
Instructions:
1. Update MCP Python SDK: pip install --upgrade mcp==1.23.0
2. Restart any running MCP servers
3. Verify TransportSecuritySettings are properly configured if using HTTP-based servers
🔧 Temporary Workarounds
Use stdio transport
allSwitch from HTTP-based transport to stdio transport which is not affected
Modify server configuration to use stdio transport instead of HTTP/SSE
Enable authentication
allConfigure authentication on HTTP-based MCP servers as recommended by security best practices
Configure authentication in MCP server settings
Configure TransportSecuritySettings
allManually enable DNS rebinding protection in server configuration
Set TransportSecuritySettings with DNS rebinding protection enabled
🧯 If You Can't Patch
- Disable HTTP-based MCP servers and use stdio transport exclusively
- Implement network segmentation to isolate MCP servers from user browsing activities
- Configure strict firewall rules to block external access to local MCP server ports
🔍 How to Verify
Check if Vulnerable:
Check if using mcp version <1.23.0 with HTTP-based server running locally without authenticationCheck Version:
pip show mcp | grep VersionVerify Fix Applied:
Confirm mcp version is 1.23.0 or higher and TransportSecuritySettings are properly configured📡 Detection & Monitoring
Log Indicators:
- Unexpected requests to local MCP server from external IPs
- DNS rebinding attempts in server logs
Network Indicators:
- HTTP requests to localhost ports from browser contexts
- DNS queries for localhost from external domains
SIEM Query:
source="mcp-server" AND (dest_ip="127.0.0.1" OR dest_ip="::1") AND src_ip NOT IN internal_subnets