CVE-2025-66414
DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost
Description
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0.
INFO
Published Date :
Dec. 2, 2025, 7:15 p.m.
Last Modified :
March 10, 2026, 7:40 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Update MCP TypeScript SDK to version 1.24.0.
- Enable DNS rebinding protection.
- Configure authentication for servers.
- Avoid using HTTP transport locally without authentication.
Public PoC/Exploit Available at Github
CVE-2025-66414 has a 12 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-66414.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-66414 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-66414
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
BoondManager MCP Oauth
Dockerfile JavaScript TypeScript
Production security middleware for MCP servers - DNS rebinding protection, CORS guard, tool filtering
Python TypeScript
Collaborative version control VS Code extension with dependency-aware conflict detection
TypeScript JavaScript Dockerfile HTML CSS
Local mirror of Anthropic product changelogs with hybrid FTS5 + sqlite-vec retrieval and MCP server. 44 products, 12 synergies, 382 tests.
agent-sdk anthropic changelog claude fts5 mcp semantic-search sqlite
JavaScript TypeScript Astro CSS Shell
TypeScript CLI + MCP server implementing OpenDeepThink (Zhou et al., arXiv:2605.15177). Independent reimplementation; not a fork.
agent bradley-terry cli deepseek llm mcp model-context-protocol pairwise-comparison reasoning test-time-compute typescript opendeepthink
TypeScript JavaScript
The Project shares all information on MCP related CVE's published
mcp mcp-security mcp-cve
Security scanner for MCP-connected AI agent pipelines — 206 rules, 66 detectors, OWASP Agentic Top 10 + MCP Top 10, EU AI Act / SOC 2 / ISO 27001 / HIPAA compliance mapping. v0.3.24.
ai-agent ai-security claude-code github-action mcp mcp-security owasp sarif scanner security supply-chain-security tool-poisoning ai-agent-security ai-safety security-scanner static-analysis
Python Dockerfile Shell TypeScript HTML
None
Rust Python
Everything you need to start working with AI-powered development tools, installed in the right order with one command per step.
Shell
mcp server for boondmanager
boondmanager mcp-server
TypeScript JavaScript Dockerfile
🗺️ MCP-first infrastructure & agentic-AI cartography — a read-only Model Context Protocol server that gives any AI agent (Claude, OpenAI, Ollama…) awareness of your full system landscape: local services, databases, SaaS tools & their dependencies. Deterministic discovery, recursive traversal & semantic search.
asset-inventory cartography dependency-graph infrastructure mcp network-topology observability shadow-it
TypeScript JavaScript
A Free, Open Source MCP server for dynamic custom persona management with public a GitHub collection of personas, skills, templates, and other elements for AI models.
JavaScript Shell TypeScript Dockerfile Batchfile PowerShell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-66414 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-66414 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Mar. 10, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Added CPE Configuration OR *cpe:2.3:a:lfprojects:mcp_typescript_sdk:*:*:*:*:*:*:*:* versions up to (excluding) 1.24.0 Added Reference Type GitHub, Inc.: https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed Types: Patch Added Reference Type GitHub, Inc.: https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 02, 2025
Action Type Old Value New Value Added Description MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0. Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-1188 Added Reference https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed Added Reference https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w