CWE-350
AllowedReliance on Reverse DNS Resolution for a Security-Critical Action
Abstraction: Variant · Status: Draft
The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
47 vulnerabilities reference this CWE, most recent first.
GHSA-59QG-GRP7-5R73
Vulnerability from github – Published: 2021-05-27 19:00 – Updated: 2021-05-24 21:05Impact
An attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service.
In a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it’s pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them.
By sending “rogue” router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond. If by chance you also have on the host a vulnerability like last year’s RCE in apt (CVE-2019-3462), you can now escalate to the host.
Patches
Weave Net version 2.6.3 (to be released soon) will disable the accept_ra option on the veth devices that it creates.
Workarounds
Users should not run containers with CAP_NET_RAW capability. This has been the advice from Weave Net for years. https://www.weave.works/docs/net/latest/kubernetes/kube-addon/#-securing-the-setup
For more information
If you have any questions or comments about this advisory: * Open an issue in the Weave Net repo * Join the Weave Users Slack.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/weaveworks/weave"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11091"
],
"database_specific": {
"cwe_ids": [
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T21:05:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nAn attacker able to run a process as root in a container is able to respond to DNS requests from the host and thereby insert themselves as a fake service.\n\nIn a cluster with an IPv4 internal network, if IPv6 is not totally disabled on the host (via ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but it\u2019s pretty likely that ipv6 forwarding is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default, /proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls means that the host accepts router advertisements and configure the IPv6 stack using them.\n\nBy sending \u201crogue\u201d router advertisements, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker controlled container.\nEven if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.\nIf by chance you also have on the host a vulnerability like last year\u2019s RCE in apt (CVE-2019-3462), you can now escalate to the host.\n\n### Patches\nWeave Net version 2.6.3 (to be released soon) will disable the accept_ra option on the veth devices that it creates.\n\n### Workarounds\nUsers should not run containers with CAP_NET_RAW capability. This has been the advice from Weave Net for years.\nhttps://www.weave.works/docs/net/latest/kubernetes/kube-addon/#-securing-the-setup\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Weave Net repo](https://github.com/weaveworks/weave/issues/new)\n* Join the \u003ca href=\"https://slack.weave.works/\" target=\"_blank\"\u003eWeave Users Slack\u003c/a\u003e.",
"id": "GHSA-59qg-grp7-5r73",
"modified": "2021-05-24T21:05:31Z",
"published": "2021-05-27T19:00:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11091"
},
{
"type": "WEB",
"url": "https://github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weave Net clusters susceptible to MitM attacks via IPv6 rogue router advertisements"
}
GHSA-5G22-6W6R-PR2M
Vulnerability from github – Published: 2025-07-22 21:31 – Updated: 2025-11-03 18:31Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
{
"affected": [],
"aliases": [
"CVE-2025-8036"
],
"database_specific": {
"cwe_ids": [
"CWE-350"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T21:15:50Z",
"severity": "HIGH"
},
"details": "Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox \u003c 141, Firefox ESR \u003c 140.1, Thunderbird \u003c 141, and Thunderbird \u003c 140.1.",
"id": "GHSA-5g22-6w6r-pr2m",
"modified": "2025-11-03T18:31:26Z",
"published": "2025-07-22T21:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8036"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1960834"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/652514"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-56"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-59"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-61"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-63"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5JX5-HQX5-2VRJ
Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2025-03-27 17:42Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ollama/ollama"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.29"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28224"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-346",
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-08T22:20:11Z",
"nvd_published_at": "2024-04-08T19:15:07Z",
"severity": "HIGH"
},
"details": "Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).",
"id": "GHSA-5jx5-hqx5-2vrj",
"modified": "2025-03-27T17:42:19Z",
"published": "2024-04-08T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28224"
},
{
"type": "PACKAGE",
"url": "https://github.com/ollama/ollama"
},
{
"type": "WEB",
"url": "https://github.com/ollama/ollama/releases"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2699"
},
{
"type": "WEB",
"url": "https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224"
},
{
"type": "WEB",
"url": "https://www.nccgroup.trust/us/our-research/?research=Technical+advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ollama DNS rebinding vulnerability"
}
GHSA-6Q9C-M9FR-865M
Vulnerability from github – Published: 2025-09-29 16:28 – Updated: 2025-10-23 20:21SafeDep vet is vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation.
To exploit this vulnerability following conditions must be met:
- A
vetscan is executed and reports are saved assqlite3database - A
vetMCP server is running on default port with SSE transport that has access to the report database - The attacker lures the victim to attacker controlled website
- Attacker leverages DNS rebinding to access
vetSSE server on127.0.0.1through the website - Attacker uses MCP tools to read information from report database
Impact
Data from vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool.
Patches
v1.12.5is released that patches the issue withHostandOriginheader allow list and validation
Workarounds
- Use
stdio(default) transport for SSE server
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/safedep/vet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59163"
],
"database_specific": {
"cwe_ids": [
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-29T16:28:49Z",
"nvd_published_at": "2025-09-29T22:15:36Z",
"severity": "LOW"
},
"details": "SafeDep `vet` is vulnerable to a DNS rebinding attack due to lack of HTTP `Host` and `Origin` header validation. \n\nTo exploit this vulnerability following conditions must be met:\n\n1. A `vet` scan is executed and reports are saved as `sqlite3` database\n2. A `vet` MCP server is running on default port with SSE transport that has access to the report database\n3. The attacker lures the victim to attacker controlled website\n4. Attacker leverages DNS rebinding to access `vet` SSE server on `127.0.0.1` through the website\n5. Attacker uses MCP tools to read information from report database\n\n### Impact\n\nData from `vet` scan sqlite3 database may be exposed to remote attackers when `vet` is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool.\n\n### Patches\n\n* `v1.12.5` is released that patches the issue with `Host` and `Origin` header allow list and validation\n\n### Workarounds\n\n* Use `stdio` (default) transport for SSE server",
"id": "GHSA-6q9c-m9fr-865m",
"modified": "2025-10-23T20:21:11Z",
"published": "2025-09-29T16:28:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/safedep/vet/security/advisories/GHSA-6q9c-m9fr-865m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59163"
},
{
"type": "WEB",
"url": "https://github.com/safedep/vet/commit/0ae3560ba11846375812377299fe078d45cc3d48"
},
{
"type": "PACKAGE",
"url": "https://github.com/safedep/vet"
},
{
"type": "WEB",
"url": "https://github.com/safedep/vet/releases/tag/v1.12.5"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "vet MCP Server SSE Transport DNS Rebinding Vulnerability"
}
GHSA-73W7-6W9G-GC8W
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2023-03-09 00:36RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rubygems-update"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-0902"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-09T00:36:26Z",
"nvd_published_at": "2017-08-31T20:29:00Z",
"severity": "HIGH"
},
"details": "RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.",
"id": "GHSA-73w7-6w9g-gc8w",
"modified": "2023-03-09T00:36:26Z",
"published": "2022-05-13T01:38:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0902"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/218088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3485"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0583"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0585"
},
{
"type": "PACKAGE",
"url": "https://github.com/rubygems/rubygems"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201710-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3553-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3685-1"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170907040741/http://www.securityfocus.com/bid/100586"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170907215801/http://www.securitytracker.com/id/1039249"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"type": "WEB",
"url": "http://blog.rubygems.org/2017/08/27/2.6.13-released.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RubyGems has Origin Validation Error vulnerability"
}
GHSA-89VP-X53W-74FX
Vulnerability from github – Published: 2026-05-06 21:55 – Updated: 2026-05-19 20:17Summary
Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface — violating the MCP specification's transport security guidance.
Impact
An attacker who convinces a victim to visit a malicious page can:
- Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.
- Read resources, prompts, and any state accessible via the MCP session.
- Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim's server exposes.
Because MCP servers frequently run with the user's privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim's machine.
Affected Versions
rmcp < 1.4.0 — all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.
Patched Versions
rmcp >= 1.4.0 (current: 1.5.1).
Patch
Fixed in PR #764 (commit 8e22aa2), released as v1.4.0 on 2026-04-09:
StreamableHttpServerConfig::allowed_hostsnow defaults to a loopback-only allowlist:["localhost", "127.0.0.1", "::1"].- All incoming HTTP requests pass through
validate_dns_rebinding_headers(), which parses theHostheader and returns HTTP 403 if the host is not on the allowlist. - Public deployments can configure an explicit allowlist via
StreamableHttpService::with_allowed_hosts(...), or opt out (not recommended without an upstream reverse proxy that validatesHost) viadisable_allowed_hosts().
This fix validates the Host header only. Origin header validation is tracked as a defense-in-depth follow-up in #822 and is not required to block the DNS rebinding attack described here — the browser cannot forge the Host header sent to the rebound server.
Workarounds for Unpatched Users
- Upgrade to
rmcp >= 1.4.0. - If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose
Hostheader is not one of your expected hostnames. - Do not bind the MCP server to
0.0.0.0without such a proxy.
Resources
- PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764
- Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815
- Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822
- MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning
Related advisories (same class of vulnerability)
- TypeScript SDK: GHSA-w48q-cv73-mx4w
- Python SDK: GHSA-9h52-p55h-vw2f
- Go SDK: GHSA-xw59-hvm2-8pj6
- Java SDK: GHSA-8jxr-pr72-r468
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rmcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42559"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T21:55:56Z",
"nvd_published_at": "2026-05-14T15:16:46Z",
"severity": "HIGH"
},
"details": "## Summary\n\nPrior to version 1.4.0, the `rmcp` crate\u0027s Streamable HTTP server transport (`crates/rmcp/src/transport/streamable_http_server/`) did not validate the incoming `Host` header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface \u2014 violating the MCP specification\u0027s [transport security guidance](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning).\n\n## Impact\n\nAn attacker who convinces a victim to visit a malicious page can:\n\n- Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.\n- Read resources, prompts, and any state accessible via the MCP session.\n- Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim\u0027s server exposes.\n\nBecause MCP servers frequently run with the user\u0027s privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim\u0027s machine.\n\n## Affected Versions\n\n`rmcp \u003c 1.4.0` \u2014 all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.\n\n## Patched Versions\n\n`rmcp \u003e= 1.4.0` (current: 1.5.1).\n\n## Patch\n\nFixed in [PR #764](https://github.com/modelcontextprotocol/rust-sdk/pull/764) (commit `8e22aa2`), released as v1.4.0 on 2026-04-09:\n\n- `StreamableHttpServerConfig::allowed_hosts` now defaults to a loopback-only allowlist: `[\"localhost\", \"127.0.0.1\", \"::1\"]`.\n- All incoming HTTP requests pass through `validate_dns_rebinding_headers()`, which parses the `Host` header and returns HTTP 403 if the host is not on the allowlist.\n- Public deployments can configure an explicit allowlist via `StreamableHttpService::with_allowed_hosts(...)`, or opt out (not recommended without an upstream reverse proxy that validates `Host`) via `disable_allowed_hosts()`.\n\nThis fix validates the `Host` header only. `Origin` header validation is tracked as a defense-in-depth follow-up in [#822](https://github.com/modelcontextprotocol/rust-sdk/issues/822) and is not required to block the DNS rebinding attack described here \u2014 the browser cannot forge the Host header sent to the rebound server.\n\n## Workarounds for Unpatched Users\n\n- Upgrade to `rmcp \u003e= 1.4.0`.\n- If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose `Host` header is not one of your expected hostnames.\n- Do not bind the MCP server to `0.0.0.0` without such a proxy.\n\n## Resources\n\n- PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764\n- Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815\n- Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822\n- MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning\n\n## Related advisories (same class of vulnerability)\n\n- TypeScript SDK: GHSA-w48q-cv73-mx4w\n- Python SDK: GHSA-9h52-p55h-vw2f\n- Go SDK: GHSA-xw59-hvm2-8pj6\n- Java SDK: GHSA-8jxr-pr72-r468",
"id": "GHSA-89vp-x53w-74fx",
"modified": "2026-05-19T20:17:47Z",
"published": "2026-05-06T21:55:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
},
{
"type": "WEB",
"url": "https://github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42559"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelcontextprotocol/rust-sdk"
},
{
"type": "WEB",
"url": "https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0140.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "rmcp Streamable HTTP server transport has a DNS rebinding vulnerability"
}
GHSA-9FH3-R25P-CGRM
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-09-30 00:00In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall based access restrictions that may be in place, by proxying through their target's browser.
{
"affected": [],
"aliases": [
"CVE-2021-34561"
],
"database_specific": {
"cwe_ids": [
"CWE-350"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-31T11:15:00Z",
"severity": "HIGH"
},
"details": "In PEPPERL+FUCHS WirelessHART-Gateway \u003c= 3.0.8 serious issue exists, if the application is not externally accessible or uses IP-based access restrictions. Attackers can use DNS Rebinding to bypass any IP or firewall based access restrictions that may be in place, by proxying through their target\u0027s browser.",
"id": "GHSA-9fh3-r25p-cgrm",
"modified": "2022-09-30T00:00:41Z",
"published": "2022-05-24T19:12:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34561"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2021-027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9H52-P55H-VW2F
Vulnerability from github – Published: 2025-12-02 16:52 – Updated: 2025-12-02 21:43Description
The Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.
Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.
Servers created via FastMCP() now have DNS rebinding protection enabled by default when the host parameter is 127.0.0.1 or localhost. Users are advised to update to version 1.23.0 to receive this automatic protection. Users with custom low-level server configurations using StreamableHTTPSessionManager or SseServerTransport directly should explicitly configure TransportSecuritySettings when running an unauthenticated server on localhost.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66416"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T16:52:08Z",
"nvd_published_at": "2025-12-02T19:15:52Z",
"severity": "HIGH"
},
"details": "### Description\n\nThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using `FastMCP` with streamable HTTP or SSE transport, and has not configured `TransportSecuritySettings`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.\n\nNote that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.\n\nServers created via `FastMCP()` now have DNS rebinding protection enabled by default when the `host` parameter is `127.0.0.1` or `localhost`. Users are advised to update to version `1.23.0` to receive this automatic protection. Users with custom low-level server configurations using `StreamableHTTPSessionManager` or `SseServerTransport` directly should explicitly configure `TransportSecuritySettings` when running an unauthenticated server on localhost.",
"id": "GHSA-9h52-p55h-vw2f",
"modified": "2025-12-02T21:43:54Z",
"published": "2025-12-02T16:52:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66416"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelcontextprotocol/python-sdk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default"
}
GHSA-9QFX-2RGM-H5RF
Vulnerability from github – Published: 2025-10-24 15:31 – Updated: 2025-10-24 18:31Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs from actual packet len), and due to a concurrency/buffering issue, even when the lengths match. A length prefix that is smaller than the actual packet size increases information leakage. In summary, this vulnerability allows an attacker to see DNS queries of other clients.
{
"affected": [],
"aliases": [
"CVE-2025-61430"
],
"database_specific": {
"cwe_ids": [
"CWE-350"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T15:15:40Z",
"severity": "MODERATE"
},
"details": "Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs from actual packet len), and due to a concurrency/buffering issue, even when the lengths match. A length prefix that is smaller than the actual packet size increases information leakage. In summary, this vulnerability allows an attacker to see DNS queries of other clients.",
"id": "GHSA-9qfx-2rgm-h5rf",
"modified": "2025-10-24T18:31:00Z",
"published": "2025-10-24T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61430"
},
{
"type": "WEB",
"url": "https://ma-personal.notion.site/simpledns-vuln?source=copy_link"
},
{
"type": "WEB",
"url": "https://www.incognitotgt.me/blog/simpledns-vuln"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CC8M-4XFJ-4H3J
Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2024-04-04 04:48{
"affected": [],
"aliases": [
"CVE-2023-32020"
],
"database_specific": {
"cwe_ids": [
"CWE-350"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T00:15:11Z",
"severity": "MODERATE"
},
"details": "Windows DNS Spoofing Vulnerability",
"id": "GHSA-cc8m-4xfj-4h3j",
"modified": "2024-04-04T04:48:57Z",
"published": "2023-06-14T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32020"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32020"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use other means of identity verification that cannot be simply spoofed. Possibilities include a username/password or certificate.
Mitigation MIT-42
Perform proper forward and reverse DNS lookups to detect DNS spoofing.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-275: DNS Rebinding
An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-89: Pharming
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.