Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64443

CVE-2025-64443: Docker MCP Gateway RCE Vulnerability

CVE-2025-64443 is a DNS rebinding RCE flaw in Docker MCP Gateway affecting versions 0.27.0 and earlier in SSE or streaming modes. Attackers can exploit MCP servers via malicious websites. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-64443 Overview

CVE-2025-64443 is a DNS rebinding vulnerability in Docker MCP Gateway, a tool that runs and deploys Model Context Protocol (MCP) servers. The flaw affects versions 0.27.0 and earlier when the gateway operates in sse or streaming transport mode. An attacker who lures a victim to a malicious website or serves a malicious advertisement can pivot the victim's browser to attack MCP servers running behind the gateway. The vulnerability falls under [CWE-749: Exposed Dangerous Method or Function]. Docker released version 0.28.0 to address the issue.

Critical Impact

Browser-based attackers can manipulate tools and features exposed by MCP servers behind the gateway, potentially executing privileged operations on behalf of the victim.

Affected Products

  • Docker MCP Gateway versions 0.27.0 and earlier
  • Gateway instances running in sse transport mode
  • Gateway instances running in streaming transport mode

Discovery Timeline

  • 2025-12-03 - CVE-2025-64443 published to NVD
  • 2026-03-10 - Last updated in NVD database

Technical Details for CVE-2025-64443

Vulnerability Analysis

MCP Gateway exposes a local HTTP listener when configured in sse (Server-Sent Events) or streaming transport mode. The listener lacks validation of the HTTP Host header and the request Origin. This omission allows DNS rebinding attacks where an attacker-controlled domain initially resolves to a public IP, then rebinds to a loopback or internal address. The victim's browser, treating the attacker's domain as the same origin throughout, sends authenticated requests to the local gateway.

Once the browser has been rebound, JavaScript from the malicious page can issue cross-origin requests to the MCP gateway as if it were a trusted local client. This grants the attacker the ability to invoke any tool or capability exposed by MCP servers running behind the gateway. The gateway running in the default stdio mode is unaffected because that mode does not bind a network socket.

Root Cause

The root cause is missing host and origin validation on the network-facing transports. Without an allowlist of permitted Host header values and proper Origin checks, the gateway accepts requests from any browser context that can resolve to its listening address.

Attack Vector

Exploitation requires user interaction. The victim must visit an attacker-controlled web page or load a malicious advertisement. The attacker then leverages short-TTL DNS records to swap the resolved IP from an external host to 127.0.0.1 or another address where the gateway listens.

go
// Patch in pkg/gateway/transport.go (Docker MCP Gateway v0.28.0)
 import (
 	"context"
+	"fmt"
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 
 	"github.com/modelcontextprotocol/go-sdk/mcp"

Source: Docker MCP Gateway commit 6b076b2. The patch introduces URL parsing and formatted validation logic used to verify request hosts before processing transport requests.

Detection Methods for CVE-2025-64443

Indicators of Compromise

  • Unexpected HTTP requests to the MCP gateway listener originating from browser User-Agent strings rather than known MCP clients.
  • Requests carrying Host headers that do not match the gateway's configured bind address or localhost.
  • MCP tool invocations occurring during user web-browsing sessions without corresponding workflow activity.

Detection Strategies

  • Inspect gateway access logs for requests with mismatched Host headers or missing Origin headers.
  • Correlate MCP tool invocation events with proxy or DNS telemetry showing recently rebound short-TTL domains.
  • Monitor for outbound DNS queries from endpoint browsers resolving the same hostname to both public and private IP ranges within a short window.

Monitoring Recommendations

  • Log all HTTP requests reaching the MCP gateway, including full Host, Origin, and Referer headers.
  • Alert on processes binding to MCP gateway ports when transport is set to sse or streaming on multi-user systems.
  • Track the deployed version of docker/mcp-gateway across hosts and flag any instance below 0.28.0.

How to Mitigate CVE-2025-64443

Immediate Actions Required

  • Upgrade Docker MCP Gateway to version 0.28.0 or later on all hosts.
  • Switch any non-essential deployments back to the default stdio transport, which is not affected.
  • Restrict the gateway listener to 127.0.0.1 and place it behind host-based firewall rules.

Patch Information

Docker released version 0.28.0 containing commit 6b076b2479d8d1345c50c112119c62978d46858e, which adds host validation to the transport layer. Details are available in the Docker MCP Gateway Security Advisory GHSA-46gc-mwh4-cc5r.

Workarounds

  • Run MCP Gateway only in the default stdio mode until upgrading is possible.
  • Block browser access to the gateway port using local firewall rules or iptables policies that drop requests from non-loopback sources.
  • Require an authentication token on the reverse proxy in front of the gateway and reject requests lacking a trusted Origin.
bash
# Verify installed version and upgrade
docker mcp gateway version
docker pull docker/mcp-gateway:0.28.0

# Restrict the listener to loopback only when running sse/streaming mode
docker mcp gateway run --transport stdio

# Optional host firewall rule to block remote access to the gateway port
sudo iptables -A INPUT -p tcp --dport 8811 ! -s 127.0.0.1 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.