CVE-2025-66416

Name of the Vulnerable Software and Affected Versions mcp versions prior to 1.23.0

Description The mcp Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. If an HTTP-based MCP server is running on localhost without authentication, using FastMCP with streamable HTTP or SSE transport, and without TransportSecuritySettings configured, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions. This could allow an attacker to send requests to the local MCP server and potentially invoke tools or access resources exposed by the server on behalf of the user. This issue does not affect servers using stdio transport.

Recommendations Update to version 1.23.0 or later.