CVE-2025-66416
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.23.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2026-03-10
Generated
2026-05-06
AI Q&A
2025-12-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66416
EUVD
EUVD-2025-200273
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects mcp_python_sdk to 1.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the MCP Python SDK prior to version 1.23.0, where DNS rebinding protection is not enabled by default for HTTP-based servers. This allows a malicious website to bypass same-origin policy restrictions and send requests to a local MCP server running on localhost without authentication, potentially invoking tools or accessing resources on behalf of the user. This issue occurs when using FastMCP with streamable HTTP or SSE transport and no TransportSecuritySettings configured. It does not affect servers using stdio transport. The vulnerability is fixed in version 1.23.0.


How can this vulnerability impact me? :

If you run an HTTP-based MCP server locally without authentication and without proper security settings, a malicious website could exploit DNS rebinding to bypass browser security policies and send unauthorized requests to your local MCP server. This could lead to unauthorized invocation of tools or access to resources exposed by the MCP server on your behalf, potentially compromising your local environment or data.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the MCP Python SDK to version 1.23.0 or later, which enables DNS rebinding protection by default. Additionally, avoid running HTTP-based MCP servers locally without authentication, and configure TransportSecuritySettings properly if using FastMCP with streamable HTTP or SSE transport.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart