Overview
CVE-2025-66414 identifies a security vulnerability in the Model Context Protocol (MCP) TypeScript SDK, the official TypeScript SDK for MCP servers and clients. Specifically, prior to version 1.24.0, the SDK does not enable DNS rebinding protection by default for HTTP-based servers. This can expose users to potential attacks when running an HTTP-based MCP server on localhost without authentication.
Technical Details
The vulnerability arises because the MCP TypeScript SDK, when configured to run an HTTP-based server (using StreamableHTTPServerTransport or SSEServerTransport) on localhost without authentication, doesn’t automatically enable DNS rebinding protection. DNS rebinding is a technique where a malicious website manipulates DNS resolution to bypass same-origin policy restrictions in web browsers.
Without DNS rebinding protection enabled, a malicious website could potentially send requests to the local MCP server. This is particularly concerning if the MCP server exposes tools or resources accessible by the user. The attacker effectively impersonates the user, leveraging their access to the local MCP server.
It’s important to note that this issue *does not* affect servers using stdio transport.
The vulnerable code was addressed in commit 09623e2aa5044f9e9da62c73d820a8250b9d97ed on GitHub.
CVSS Analysis
Currently, no CVSS score is available for CVE-2025-66414. However, the potential for DNS rebinding attacks should be taken seriously. The severity is highly dependent on the functionality exposed by the specific MCP server and the extent of its access.
Possible Impact
Successful exploitation of this vulnerability could allow an attacker to:
- Invoke tools exposed by the local MCP server on behalf of the user.
- Access resources that the MCP server has access to.
- Potentially compromise the user’s local environment, depending on the capabilities of the MCP server.
The impact is limited to scenarios where an HTTP-based MCP server is running on localhost without authentication, a practice that is discouraged in MCP security best practices.
Mitigation or Patch Steps
The recommended mitigation is to upgrade to MCP TypeScript SDK version 1.24.0 or later. This version includes a fix that addresses the DNS rebinding vulnerability.
Additionally, consider the following security best practices:
- Avoid running HTTP-based MCP servers locally without authentication whenever possible.
- If authentication is not feasible, ensure that the MCP server exposes minimal functionality and has limited access to sensitive resources.
- Use stdio transport when possible, as it is not affected by this vulnerability.
