CVE-2025-66414 Overview
The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. The flaw affects versions prior to 1.24.0 when developers run MCP servers on localhost without authentication using StreamableHTTPServerTransport or SSEServerTransport. A malicious website can leverage DNS rebinding to bypass the browser same-origin policy and send requests to the local MCP server. An attacker exploiting this condition can invoke tools or access resources exposed by the MCP server on behalf of the user. The issue does not affect servers using stdio transport and is categorized as Insecure Default Initialization of Resource [CWE-1188].
Critical Impact
Remote attackers controlling a website visited by the user can invoke MCP tools and access resources on locally running, unauthenticated MCP servers via DNS rebinding.
Affected Products
- MCP TypeScript SDK versions prior to 1.24.0
- HTTP-based MCP servers using StreamableHTTPServerTransport
- HTTP-based MCP servers using SSEServerTransport
Discovery Timeline
- 2025-12-02 - CVE-2025-66414 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2025-66414
Vulnerability Analysis
The MCP TypeScript SDK exposes HTTP transports intended primarily for local development. When a developer instantiates StreamableHTTPServerTransport or SSEServerTransport without setting enableDnsRebindingProtection, the server accepts requests regardless of the Host or Origin header. Browsers enforce same-origin policy based on hostnames, not resolved IP addresses, which creates the conditions for DNS rebinding. An attacker hosts a malicious page that initially resolves its domain to an attacker-controlled IP, then rebinds the same domain to 127.0.0.1. JavaScript on the page then issues fetch requests to the rebound domain, which the browser treats as same-origin. The local MCP server receives those requests and processes MCP tool invocations as if the user issued them locally.
Root Cause
The root cause is an insecure default configuration [CWE-1188]. The SDK shipped the HTTP transports with enableDnsRebindingProtection disabled by default, leaving validation of the Host and Origin headers as an opt-in feature. Developers following the quickstart examples inherited the insecure default without explicit warning at runtime.
Attack Vector
Exploitation requires the victim to visit a malicious website while an unauthenticated HTTP-based MCP server runs on localhost. The attacker uses a low time-to-live DNS record to swap the resolved address from a public IP to a loopback address. The browser then sends authenticated cross-origin requests to the MCP server, which honors them because no Host or Origin validation runs. The attacker can then enumerate available tools and invoke them within the privileges of the local server.
// Patch from upstream commit 09623e2aa5044f9e9da62c73d820a8250b9d97ed
// Example servers were refactored to use the new createMcpExpressApp helper,
// which centralizes secure defaults including DNS rebinding protection.
import { randomUUID } from 'node:crypto';
import { type Request, type Response } from 'express';
import { McpServer } from '../../server/mcp.js';
import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
import { isInitializeRequest } from '../../types.js';
import { createMcpExpressApp } from '../../server/index.js';
Source: modelcontextprotocol/typescript-sdk commit 09623e2
Detection Methods for CVE-2025-66414
Indicators of Compromise
- Unexpected HTTP requests to localhost MCP endpoints with Origin headers pointing to external domains.
- MCP server logs showing tool invocations correlated with browser activity rather than IDE or CLI clients.
- DNS query logs containing short-TTL records that resolve to both public and loopback addresses for the same domain.
Detection Strategies
- Inspect MCP server access logs for Host headers that do not match localhost, 127.0.0.1, or ::1.
- Audit installed Node.js dependencies for @modelcontextprotocol/sdk versions below 1.24.0.
- Monitor outbound DNS responses from developer workstations for rebinding patterns where a single domain alternates between external and internal IPs.
Monitoring Recommendations
- Forward MCP server request logs into a centralized logging system and alert on cross-origin requests to local ports.
- Track process listeners on developer endpoints binding to common MCP ports such as 3000 or 8000 without authentication middleware.
- Capture browser telemetry that records cross-origin fetches targeting loopback addresses.
How to Mitigate CVE-2025-66414
Immediate Actions Required
- Upgrade @modelcontextprotocol/sdk to version 1.24.0 or later in all projects that run HTTP-based MCP servers.
- Enable enableDnsRebindingProtection on existing StreamableHTTPServerTransport and SSEServerTransport instances until the upgrade is complete.
- Add authentication to any HTTP-based MCP server, even on localhost, in line with MCP security best practices.
Patch Information
The issue is fixed in MCP TypeScript SDK 1.24.0. The upstream fix is tracked in GitHub Security Advisory GHSA-w48q-cv73-mx4w and applied in commit 09623e2. The patch introduces the createMcpExpressApp helper, which centralizes secure defaults for HTTP transports.
Workarounds
- Switch to stdio transport, which is not affected by DNS rebinding.
- Configure a strict allowlist for the Host header on HTTP-based MCP servers using a reverse proxy or middleware.
- Bind the MCP server to a Unix domain socket rather than a TCP loopback port where supported.
# Upgrade the SDK to the patched version
npm install @modelcontextprotocol/sdk@^1.24.0
# Verify the installed version
npm ls @modelcontextprotocol/sdk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

