GHSA-9h52-p55h-vw2f

Source

https://github.com/advisories/GHSA-9h52-p55h-vw2f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-9h52-p55h-vw2f/GHSA-9h52-p55h-vw2f.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9h52-p55h-vw2f

Aliases

Related

CGA-4rr5-v9cg-v92p

Published

2025-12-02T16:52:08Z

Modified

2026-01-30T01:28:51.658622Z

Severity

7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

Details

Description

The Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via FastMCP() now have DNS rebinding protection enabled by default when the host parameter is 127.0.0.1 or localhost. Users are advised to update to version 1.23.0 to receive this automatic protection. Users with custom low-level server configurations using StreamableHTTPSessionManager or SseServerTransport directly should explicitly configure TransportSecuritySettings when running an unauthenticated server on localhost.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-12-02T19:15:52Z",
    "severity": "HIGH",
    "github_reviewed_at": "2025-12-02T16:52:08Z",
    "cwe_ids": [
        "CWE-1188",
        "CWE-350"
    ]
}

References

Affected packages

PyPI / mcp

Package

Name: mcp; View open source insights on deps.dev
Purl: pkg:pypi/mcp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23.0

Affected versions

0.*

0.9.1

1.*

1.0.0

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0rc1

1.2.0

1.2.1

1.3.0rc1

1.3.0

1.4.0

1.4.1

1.5.0

1.6.0

1.7.0

1.7.1

1.8.0

1.8.1

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.10.0

1.10.1

1.11.0

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.0

1.13.1

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.18.0

1.19.0

1.20.0

1.21.0

1.21.1

1.21.2

1.22.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-9h52-p55h-vw2f/GHSA-9h52-p55h-vw2f.json"