GHSA-6q9c-m9fr-865m

Source

https://github.com/advisories/GHSA-6q9c-m9fr-865m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-6q9c-m9fr-865m/GHSA-6q9c-m9fr-865m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-6q9c-m9fr-865m

Aliases

Published

2025-09-29T16:28:49Z

Modified

2025-10-23T20:21:11Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

vet MCP Server SSE Transport DNS Rebinding Vulnerability

Details

SafeDep vet is vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation.

To exploit this vulnerability following conditions must be met:

A vet scan is executed and reports are saved as sqlite3 database
A vet MCP server is running on default port with SSE transport that has access to the report database
The attacker lures the victim to attacker controlled website
Attacker leverages DNS rebinding to access vet SSE server on 127.0.0.1 through the website
Attacker uses MCP tools to read information from report database

Impact

Data from vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool.

Patches

v1.12.5 is released that patches the issue with Host and Origin header allow list and validation

Workarounds

Use stdio (default) transport for SSE server

Database specific

{
    "github_reviewed_at": "2025-09-29T16:28:49Z",
    "cwe_ids": [
        "CWE-350"
    ],
    "severity": "LOW",
    "nvd_published_at": "2025-09-29T22:15:36Z",
    "github_reviewed": true
}

References

Affected packages

Go / github.com/safedep/vet

Package

Name: github.com/safedep/vet; View open source insights on deps.dev
Purl: pkg:golang/github.com/safedep/vet

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.5