CVE-2025-66416: MCP Python SDK Auth Bypass Vulnerability

CVE-2025-66416 Overview

CVE-2025-66416 affects the Model Context Protocol (MCP) Python SDK, distributed as mcp on PyPI. Versions prior to 1.23.0 do not enable DNS rebinding protection by default for HTTP-based servers. When an MCP server runs on localhost without authentication using FastMCP with streamable HTTP or Server-Sent Events (SSE) transport, a malicious website can exploit DNS rebinding to bypass same-origin policy restrictions. Attackers can invoke tools or access resources exposed by the local MCP server on behalf of the user. Servers using stdio transport are not affected. The issue is fixed in version 1.23.0.

Critical Impact

A malicious website visited by a user can bypass browser same-origin policy via DNS rebinding and issue requests to a local unauthenticated MCP server, executing exposed tools and reading exposed resources.

Affected Products

• mcp Python SDK (PyPI package) prior to version 1.23.0
• FastMCP servers configured with streamable HTTP transport
• FastMCP servers configured with SSE transport

Discovery Timeline

• 2025-12-02 - CVE-2025-66416 published to NVD
• 2026-03-10 - Last updated in NVD database

Technical Details for CVE-2025-66416

Vulnerability Analysis

The vulnerability is categorized under [CWE-1188] (Insecure Default Initialization of Resource). The MCP Python SDK ships HTTP-based transports with DNS rebinding protection disabled by default. When developers run FastMCP servers locally without setting TransportSecuritySettings, the server accepts requests regardless of the Host or Origin header values used to reach it.

DNS rebinding allows an attacker-controlled domain to resolve first to a public IP and then re-resolve to 127.0.0.1. After the rebind, browser JavaScript loaded from the attacker domain treats the local MCP server as same-origin and issues authenticated cross-origin requests. The local server, lacking host/origin validation, executes the requests and exposes its registered tools and resources.

Root Cause

The root cause is an insecure default configuration in the FastMCP server initialization path. The constructor accepted transport_security=None and proceeded without injecting rebinding defenses for loopback bindings. No validation of inbound Host or Origin headers occurred when the developer did not explicitly configure TransportSecuritySettings.

Attack Vector

The attack requires the victim to visit an attacker-controlled web page while a vulnerable MCP server runs on localhost. The page hosts JavaScript that issues fetch requests to a domain the attacker controls. After DNS rebinding to 127.0.0.1, the script invokes the MCP JSON-RPC endpoint and calls exposed tools or reads resources within the user's context.

        auth: AuthSettings | None = None,
        transport_security: TransportSecuritySettings | None = None,
    ):
+       # Auto-enable DNS rebinding protection for localhost (IPv4 and IPv6)
+       if transport_security is None and host in ("127.0.0.1", "localhost", "::1"):
+           transport_security = TransportSecuritySettings(
+               enable_dns_rebinding_protection=True,
+               allowed_hosts=["127.0.0.1:*", "localhost:*", "[::1]:*"],
+               allowed_origins=["http://127.0.0.1:*", "http://localhost:*", "http://[::1]:*"],
+           )
+
        self.settings = Settings(
            debug=debug,
            log_level=log_level,

Source: GitHub Commit d3a1841 — the patch auto-enables DNS rebinding protection when the server binds to a loopback address and the developer has not supplied explicit transport settings.

Detection Methods for CVE-2025-66416

Indicators of Compromise

• Inbound HTTP requests to a local MCP server carrying a Host header that does not match 127.0.0.1, localhost, or [::1].
• Origin headers on MCP JSON-RPC requests referencing external domains the user did not intend to integrate.
• Unexpected MCP tools/call or resources/read invocations originating from browser user-agents.

Detection Strategies

• Inventory installed Python environments for mcp package versions below 1.23.0 using pip list or SBOM scanners.
• Review FastMCP server instantiations in source repositories for missing TransportSecuritySettings configuration.
• Enable application-level logging of inbound Host and Origin headers on HTTP-based MCP servers and alert on non-loopback values.

Monitoring Recommendations

• Monitor process telemetry on developer workstations for Python processes listening on 127.0.0.1 with MCP transport ports.
• Capture browser-originated traffic to local loopback ports and flag requests where Origin differs from http://localhost or http://127.0.0.1.
• Track outbound DNS resolutions that switch from public IPs to private/loopback ranges within short TTL windows.

How to Mitigate CVE-2025-66416

Immediate Actions Required

• Upgrade the mcp package to version 1.23.0 or later in all Python environments running MCP servers.
• Audit FastMCP deployments and verify that HTTP and SSE transports are not exposed without authentication.
• For servers bound to non-loopback interfaces, explicitly configure TransportSecuritySettings with allow-listed hosts and origins.

Patch Information

The fix is delivered in mcp 1.23.0 via commit d3a1841. The patch automatically enables DNS rebinding protection when an HTTP-based MCP server binds to 127.0.0.1, localhost, or ::1 and no explicit TransportSecuritySettings is supplied. See the GitHub Security Advisory GHSA-9h52-p55h-vw2f for advisory details.

Workarounds

• Switch local MCP servers to stdio transport, which is not affected by this vulnerability.
• Manually configure TransportSecuritySettings with enable_dns_rebinding_protection=True and explicit allowed_hosts and allowed_origins lists.
• Add authentication to all HTTP-based MCP servers, even when bound to localhost, per MCP security best practices.

# Upgrade the MCP Python SDK to the patched release
pip install --upgrade "mcp>=1.23.0"

# Verify the installed version
python -c "import mcp, importlib.metadata as m; print(m.version('mcp'))"