Common Weakness Enumeration

CWE-350

Allowed

Reliance on Reverse DNS Resolution for a Security-Critical Action

Abstraction: Variant · Status: Draft

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

47 vulnerabilities reference this CWE, most recent first.

GHSA-59QG-GRP7-5R73

Vulnerability from github – Published: 2021-05-27 19:00 – Updated: 2021-05-24 21:05
VLAI
Summary
Weave Net clusters susceptible to MitM attacks via IPv6 rogue router advertisements
Details

Impact

An attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service.

In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it’s pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them.

By sending “rogue” router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. If by chance you also have on the host a vulnerability like last year’s RCE in apt (CVE-2019-3462), you can now escalate to the host.

Patches

Weave Net version 2.6.3 (to be released soon) will disable the accept_ra option on the veth devices that it creates.

Workarounds

Users should not run containers with CAP_NET_RAW capability. This has been the advice from Weave Net for years. https://www.weave.works/docs/net/latest/kubernetes/kube-addon/#-securing-the-setup

For more information

If you have any questions or comments about this advisory: * Open an issue in the Weave Net repo * Join the Weave Users Slack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/weaveworks/weave"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T21:05:31Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service.\n\nIn a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it\u2019s pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them.\n\nBy sending \u201crogue\u201d router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container.\nEven if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.\nIf by chance you also have on the host a vulnerability like last year\u2019s RCE in apt (CVE-2019-3462), you can now escalate to the host.\n\n### Patches\nWeave Net version 2.6.3 (to be released soon) will disable the accept_ra option on the veth devices that it creates.\n\n### Workarounds\nUsers should not run containers with CAP_NET_RAW capability.  This has been the advice from Weave Net for years.\nhttps://www.weave.works/docs/net/latest/kubernetes/kube-addon/#-securing-the-setup\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Weave Net repo](https://github.com/weaveworks/weave/issues/new)\n* Join the \u003ca href=\"https://slack.weave.works/\" target=\"_blank\"\u003eWeave Users Slack\u003c/a\u003e.",
  "id": "GHSA-59qg-grp7-5r73",
  "modified": "2021-05-24T21:05:31Z",
  "published": "2021-05-27T19:00:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11091"
    },
    {
      "type": "WEB",
      "url": "https://github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weave Net clusters susceptible to MitM attacks via IPv6 rogue router advertisements"
}

GHSA-5G22-6W6R-PR2M

Vulnerability from github – Published: 2025-07-22 21:31 – Updated: 2025-11-03 18:31
VLAI
Details

Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-350"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T21:15:50Z",
    "severity": "HIGH"
  },
  "details": "Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox \u003c 141, Firefox ESR \u003c 140.1, Thunderbird \u003c 141, and Thunderbird \u003c 140.1.",
  "id": "GHSA-5g22-6w6r-pr2m",
  "modified": "2025-11-03T18:31:26Z",
  "published": "2025-07-22T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8036"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1960834"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/652514"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-56"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-59"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-61"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-63"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JX5-HQX5-2VRJ

Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2025-03-27 17:42
VLAI
Summary
Ollama DNS rebinding vulnerability
Details

Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ollama/ollama"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-346",
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-08T22:20:11Z",
    "nvd_published_at": "2024-04-08T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).",
  "id": "GHSA-5jx5-hqx5-2vrj",
  "modified": "2025-03-27T17:42:19Z",
  "published": "2024-04-08T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28224"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ollama/ollama"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ollama/ollama/releases"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2699"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224"
    },
    {
      "type": "WEB",
      "url": "https://www.nccgroup.trust/us/our-research/?research=Technical+advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ollama DNS rebinding vulnerability"
}

GHSA-6Q9C-M9FR-865M

Vulnerability from github – Published: 2025-09-29 16:28 – Updated: 2025-10-23 20:21
VLAI
Summary
vet MCP Server SSE Transport DNS Rebinding Vulnerability
Details

SafeDep vet is vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation.

To exploit this vulnerability following conditions must be met:

  1. A vet scan is executed and reports are saved as sqlite3 database
  2. A vet MCP server is running on default port with SSE transport that has access to the report database
  3. The attacker lures the victim to attacker controlled website
  4. Attacker leverages DNS rebinding to access vet SSE server on 127.0.0.1 through the website
  5. Attacker uses MCP tools to read information from report database

Impact

Data from vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool.

Patches

  • v1.12.5 is released that patches the issue with Host and Origin header allow list and validation

Workarounds

  • Use stdio (default) transport for SSE server
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/safedep/vet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-29T16:28:49Z",
    "nvd_published_at": "2025-09-29T22:15:36Z",
    "severity": "LOW"
  },
  "details": "SafeDep `vet` is vulnerable to a DNS rebinding attack due to lack of HTTP `Host` and `Origin` header validation. \n\nTo exploit this vulnerability following conditions must be met:\n\n1. A `vet` scan is executed and reports are saved as `sqlite3` database\n2. A `vet` MCP server is running on default port with SSE transport that has access to the report database\n3. The attacker lures the victim to attacker controlled website\n4. Attacker leverages DNS rebinding to access `vet` SSE server on `127.0.0.1` through the website\n5. Attacker uses MCP tools to read information from report database\n\n### Impact\n\nData from `vet` scan sqlite3 database may be exposed to remote attackers when `vet` is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool.\n\n### Patches\n\n* `v1.12.5` is released that patches the issue with `Host` and `Origin` header allow list and validation\n\n### Workarounds\n\n* Use `stdio` (default) transport for SSE server",
  "id": "GHSA-6q9c-m9fr-865m",
  "modified": "2025-10-23T20:21:11Z",
  "published": "2025-09-29T16:28:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/safedep/vet/security/advisories/GHSA-6q9c-m9fr-865m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/safedep/vet/commit/0ae3560ba11846375812377299fe078d45cc3d48"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/safedep/vet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/safedep/vet/releases/tag/v1.12.5"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3986"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vet MCP Server SSE Transport DNS Rebinding Vulnerability"
}

GHSA-73W7-6W9G-GC8W

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2023-03-09 00:36
VLAI
Summary
RubyGems has Origin Validation Error vulnerability
Details

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rubygems-update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-0902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-09T00:36:26Z",
    "nvd_published_at": "2017-08-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.",
  "id": "GHSA-73w7-6w9g-gc8w",
  "modified": "2023-03-09T00:36:26Z",
  "published": "2022-05-13T01:38:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0902"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/218088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3485"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0378"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0583"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0585"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rubygems/rubygems"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201710-01"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3553-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3685-1"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170907040741/http://www.securityfocus.com/bid/100586"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3966"
    },
    {
      "type": "WEB",
      "url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RubyGems has Origin Validation Error vulnerability"
}

GHSA-89VP-X53W-74FX

Vulnerability from github – Published: 2026-05-06 21:55 – Updated: 2026-05-19 20:17
VLAI
Summary
rmcp Streamable HTTP server transport has a DNS rebinding vulnerability
Details

Summary

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface — violating the MCP specification's transport security guidance.

Impact

An attacker who convinces a victim to visit a malicious page can:

  • Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.
  • Read resources, prompts, and any state accessible via the MCP session.
  • Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim's server exposes.

Because MCP servers frequently run with the user's privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim's machine.

Affected Versions

rmcp < 1.4.0 — all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.

Patched Versions

rmcp >= 1.4.0 (current: 1.5.1).

Patch

Fixed in PR #764 (commit 8e22aa2), released as v1.4.0 on 2026-04-09:

  • StreamableHttpServerConfig::allowed_hosts now defaults to a loopback-only allowlist: ["localhost", "127.0.0.1", "::1"].
  • All incoming HTTP requests pass through validate_dns_rebinding_headers(), which parses the Host header and returns HTTP 403 if the host is not on the allowlist.
  • Public deployments can configure an explicit allowlist via StreamableHttpService::with_allowed_hosts(...), or opt out (not recommended without an upstream reverse proxy that validates Host) via disable_allowed_hosts().

This fix validates the Host header only. Origin header validation is tracked as a defense-in-depth follow-up in #822 and is not required to block the DNS rebinding attack described here — the browser cannot forge the Host header sent to the rebound server.

Workarounds for Unpatched Users

  • Upgrade to rmcp >= 1.4.0.
  • If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose Host header is not one of your expected hostnames.
  • Do not bind the MCP server to 0.0.0.0 without such a proxy.

Resources

  • PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764
  • Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815
  • Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822
  • MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning

Related advisories (same class of vulnerability)

  • TypeScript SDK: GHSA-w48q-cv73-mx4w
  • Python SDK: GHSA-9h52-p55h-vw2f
  • Go SDK: GHSA-xw59-hvm2-8pj6
  • Java SDK: GHSA-8jxr-pr72-r468
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rmcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:55:56Z",
    "nvd_published_at": "2026-05-14T15:16:46Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nPrior to version 1.4.0, the `rmcp` crate\u0027s Streamable HTTP server transport (`crates/rmcp/src/transport/streamable_http_server/`) did not validate the incoming `Host` header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface \u2014 violating the MCP specification\u0027s [transport security guidance](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning).\n\n## Impact\n\nAn attacker who convinces a victim to visit a malicious page can:\n\n- Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.\n- Read resources, prompts, and any state accessible via the MCP session.\n- Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim\u0027s server exposes.\n\nBecause MCP servers frequently run with the user\u0027s privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim\u0027s machine.\n\n## Affected Versions\n\n`rmcp \u003c 1.4.0` \u2014 all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.\n\n## Patched Versions\n\n`rmcp \u003e= 1.4.0` (current: 1.5.1).\n\n## Patch\n\nFixed in [PR #764](https://github.com/modelcontextprotocol/rust-sdk/pull/764) (commit `8e22aa2`), released as v1.4.0 on 2026-04-09:\n\n- `StreamableHttpServerConfig::allowed_hosts` now defaults to a loopback-only allowlist: `[\"localhost\", \"127.0.0.1\", \"::1\"]`.\n- All incoming HTTP requests pass through `validate_dns_rebinding_headers()`, which parses the `Host` header and returns HTTP 403 if the host is not on the allowlist.\n- Public deployments can configure an explicit allowlist via `StreamableHttpService::with_allowed_hosts(...)`, or opt out (not recommended without an upstream reverse proxy that validates `Host`) via `disable_allowed_hosts()`.\n\nThis fix validates the `Host` header only. `Origin` header validation is tracked as a defense-in-depth follow-up in [#822](https://github.com/modelcontextprotocol/rust-sdk/issues/822) and is not required to block the DNS rebinding attack described here \u2014 the browser cannot forge the Host header sent to the rebound server.\n\n## Workarounds for Unpatched Users\n\n- Upgrade to `rmcp \u003e= 1.4.0`.\n- If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose `Host` header is not one of your expected hostnames.\n- Do not bind the MCP server to `0.0.0.0` without such a proxy.\n\n## Resources\n\n- PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764\n- Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815\n- Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822\n- MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning\n\n## Related advisories (same class of vulnerability)\n\n- TypeScript SDK: GHSA-w48q-cv73-mx4w\n- Python SDK: GHSA-9h52-p55h-vw2f\n- Go SDK: GHSA-xw59-hvm2-8pj6\n- Java SDK: GHSA-8jxr-pr72-r468",
  "id": "GHSA-89vp-x53w-74fx",
  "modified": "2026-05-19T20:17:47Z",
  "published": "2026-05-06T21:55:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/rust-sdk"
    },
    {
      "type": "WEB",
      "url": "https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0140.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rmcp Streamable HTTP server transport has a DNS rebinding vulnerability"
}

GHSA-9FH3-R25P-CGRM

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-09-30 00:00
VLAI
Details

In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall based access restrictions that may be in place, by proxying through their target's browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-350"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-31T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "In PEPPERL+FUCHS WirelessHART-Gateway \u003c= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall based access restrictions that may be in place, by proxying through their target\u0027s browser.",
  "id": "GHSA-9fh3-r25p-cgrm",
  "modified": "2022-09-30T00:00:41Z",
  "published": "2022-05-24T19:12:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34561"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en-us/advisories/vde-2021-027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H52-P55H-VW2F

Vulnerability from github – Published: 2025-12-02 16:52 – Updated: 2025-12-02 21:43
VLAI
Summary
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
Details

Description

The Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via FastMCP() now have DNS rebinding protection enabled by default when the host parameter is 127.0.0.1 or localhost. Users are advised to update to version 1.23.0 to receive this automatic protection. Users with custom low-level server configurations using StreamableHTTPSessionManager or SseServerTransport directly should explicitly configure TransportSecuritySettings when running an unauthenticated server on localhost.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T16:52:08Z",
    "nvd_published_at": "2025-12-02T19:15:52Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using `FastMCP` with streamable HTTP or SSE transport, and has not configured `TransportSecuritySettings`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.\n\nNote that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.\n\nServers created via `FastMCP()` now have DNS rebinding protection enabled by default when the `host` parameter is `127.0.0.1` or `localhost`. Users are advised to update to version `1.23.0` to receive this automatic protection. Users with custom low-level server configurations using `StreamableHTTPSessionManager` or `SseServerTransport` directly should explicitly configure `TransportSecuritySettings` when running an unauthenticated server on localhost.",
  "id": "GHSA-9h52-p55h-vw2f",
  "modified": "2025-12-02T21:43:54Z",
  "published": "2025-12-02T16:52:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66416"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/python-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default"
}

GHSA-9QFX-2RGM-H5RF

Vulnerability from github – Published: 2025-10-24 15:31 – Updated: 2025-10-24 18:31
VLAI
Details

Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs from actual packet len), and due to a concurrency/buffering issue, even when the lengths match. A length prefix that is smaller than the actual packet size increases information leakage. In summary, this vulnerability allows an attacker to see DNS queries of other clients.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-350"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-24T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs from actual packet len), and due to a concurrency/buffering issue, even when the lengths match. A length prefix that is smaller than the actual packet size increases information leakage. In summary, this vulnerability allows an attacker to see DNS queries of other clients.",
  "id": "GHSA-9qfx-2rgm-h5rf",
  "modified": "2025-10-24T18:31:00Z",
  "published": "2025-10-24T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61430"
    },
    {
      "type": "WEB",
      "url": "https://ma-personal.notion.site/simpledns-vuln?source=copy_link"
    },
    {
      "type": "WEB",
      "url": "https://www.incognitotgt.me/blog/simpledns-vuln"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC8M-4XFJ-4H3J

Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2024-04-04 04:48
VLAI
Details

Windows DNS Spoofing Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-350"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-14T00:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Windows DNS Spoofing Vulnerability",
  "id": "GHSA-cc8m-4xfj-4h3j",
  "modified": "2024-04-04T04:48:57Z",
  "published": "2023-06-14T00:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32020"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.

Mitigation MIT-42
Implementation

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

CAPEC-142: DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

CAPEC-275: DNS Rebinding

An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-89: Pharming

A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.