CVE-2025-59163

CVSS v4.0

2.1

Low

Vector

AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions vet versions prior to 1.12.5

Description The software is susceptible to a DNS rebinding attack because of missing HTTP Host and Origin header validation. When used as an MCP server in SSE mode with default ports, the sqlite3 database containing scan data may be exposed to remote attackers. An attacker can leverage DNS rebinding to access the vet SSE server on 127.0.0.1 through a website and use MCP tools to read information from the report database. The vulnerable component is the SSE server. The API endpoint used for exploitation is not specified. The vulnerable parameters are the Host and Origin headers.

Recommendations Update to version 1.12.5 or later. Use stdio transport for the SSE server.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-350

Related Identifiers

CVE-2025-59163

GHSA-6Q9C-M9FR-865M

GO-2025-3986

OPENSUSE-SU-2025:15666-1

SUSE-SU-2025:3799-1

Affected Products

Sqlite3

Vet

CVE-2025-59163

Weakness Enumeration

Related Identifiers

Affected Products

References · 51