CVE-2025-10193 Overview
CVE-2025-10193 is a DNS rebinding vulnerability in the Neo4j Cypher Model Context Protocol (MCP) server. The flaw allows a malicious website to bypass Same-Origin Policy (SOP) protections in the user's browser and invoke unauthorised tools on a locally running Neo4j MCP instance. Exploitation requires a victim to visit attacker-controlled content and remain on the page long enough for the DNS rebinding sequence to complete. The vulnerability is categorised under CWE-346: Origin Validation Error.
Critical Impact
Successful exploitation enables attackers to issue Cypher queries and trigger MCP tool invocations against a locally bound Neo4j MCP server, exposing graph data and supporting unauthorised actions.
Affected Products
- Neo4j Cypher MCP server (mcp-neo4j-cypher) prior to v0.4.0
- Local developer and AI agent deployments exposing the MCP HTTP transport
- Workstations running Neo4j MCP integrations alongside untrusted web browsing
Discovery Timeline
- 2025-09-11 - CVE CVE-2025-10193 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10193
Vulnerability Analysis
The Neo4j Cypher MCP server exposes an HTTP listener on the local loopback interface to serve tool invocations from MCP-aware clients. The server validates requests based on origin assumptions tied to localhost but does not verify the Host header or enforce strict origin pinning. A remote attacker can host a page that initially resolves a controlled domain to its own server, then rebinds that domain to 127.0.0.1 while the victim remains on the page. JavaScript executing under the attacker's origin can then issue requests that the browser treats as same-origin, reaching the MCP listener bound on the victim's host.
Root Cause
The root cause is insufficient origin validation in the MCP HTTP transport. The server trusts requests received on the loopback socket without confirming that the Host header, Origin header, or authentication token matches the expected local client. Because DNS rebinding allows attacker-controlled hostnames to point at loopback addresses, SOP no longer isolates the MCP service from cross-origin code.
Attack Vector
The attack proceeds in stages. The victim visits an attacker-controlled domain that returns a short DNS time-to-live. After initial page load, the attacker's authoritative server rebinds the hostname to 127.0.0.1. Scripts on the page then poll the original hostname, which now resolves to the local MCP server. The browser permits these requests as same-origin, and the script invokes MCP tools, runs Cypher queries against the bound Neo4j instance, and exfiltrates results back to the attacker. The high attack complexity reflects the timing and user-dwell requirements rather than technical depth.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-vcqx-v2mg-7chx for vendor-confirmed technical details.
Detection Methods for CVE-2025-10193
Indicators of Compromise
- HTTP requests to the local MCP port (commonly bound on loopback) where the Host header contains an external domain rather than localhost or 127.0.0.1
- Browser-originated requests to MCP tool endpoints correlated with active sessions on untrusted websites
- Unexpected Cypher query patterns in Neo4j audit logs originating from MCP tool invocations during user web browsing windows
Detection Strategies
- Inspect MCP server access logs for mismatches between the bound interface and the Host or Origin headers presented by clients.
- Correlate browser process network telemetry with connections to MCP listener ports to identify cross-origin invocations.
- Monitor DNS resolver telemetry for short-TTL responses that alternate between public IPs and RFC1918 or loopback ranges within a single session.
Monitoring Recommendations
- Enable verbose request logging on mcp-neo4j-cypher and forward events to a centralised log platform for correlation with browser activity.
- Track Neo4j query audit logs for tool invocations occurring outside expected developer workflows.
- Alert on DNS responses that map external hostnames to loopback or private addresses, a hallmark of rebinding infrastructure.
How to Mitigate CVE-2025-10193
Immediate Actions Required
- Upgrade mcp-neo4j-cypher to version 0.4.0 or later, which contains the vendor fix as documented in the v0.4.0 release notes.
- Restart any MCP clients and agent runtimes that maintain persistent connections to the patched server.
- Audit Neo4j query logs for unexpected Cypher invocations during periods when the vulnerable version was running.
Patch Information
Neo4j addressed CVE-2025-10193 in mcp-neo4j-cypher v0.4.0. Vendor details are available in the Neo4j CVE-2025-10193 advisory and the GitHub Security Advisory GHSA-vcqx-v2mg-7chx. The fix enforces Host header validation and origin checks on incoming MCP HTTP requests.
Workarounds
- Run the MCP server only when actively in use and terminate the process when finished to shrink the exposure window.
- Bind the MCP listener to a Unix domain socket or use stdio transport instead of HTTP where supported by the client.
- Configure a local firewall rule to restrict the MCP port to trusted client processes only.
- Use a browser profile separated from MCP development workstations to avoid co-resident browsing on attacker-controlled sites.
# Configuration example: upgrade the vulnerable package
pip install --upgrade "mcp-neo4j-cypher>=0.4.0"
# Verify installed version
pip show mcp-neo4j-cypher | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
