CVE-2025-10193 is a high-severity vulnerability affecting the Neo4j Cypher MCP server version 0.2.2. The root cause is an origin validation error (CWE-346) that enables a DNS rebinding attack. DNS rebinding is a technique where an attacker manipulates the victim's DNS resolution to bypass the browser's Same-Origin Policy (SOP), which normally restricts web pages from making requests to different origins. In this case, a malicious website can cause a victim's browser to resolve a domain to the attacker's server initially, then rebind it to the localhost IP address where the Neo4j Cypher MCP server is running. Because the MCP server does not properly validate the origin of incoming requests, the attacker can send unauthorized commands to the local Neo4j instance via the victim's browser. This attack requires the victim to visit and remain on a malicious website long enough for the DNS rebinding to succeed. The vulnerability impacts confidentiality and integrity by allowing unauthorized tool invocations on the local Neo4j MCP server, potentially exposing sensitive graph data or allowing manipulation of the database. Availability impact is less direct but could occur if the attacker issues disruptive commands. The CVSS 4.0 score is 7.4 (high), reflecting network attack vector, high complexity, partial user interaction, and high impact on confidentiality and integrity. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability highlights a critical security gap in origin validation within the Neo4j Cypher MCP server, emphasizing the need for robust origin checks and DNS rebinding mitigations in web-exposed local services.

For European organizations using Neo4j, especially those running the vulnerable MCP server version 0.2.2 on developer machines or internal tools accessible via browsers, this vulnerability poses a significant risk. Attackers could leverage DNS rebinding to bypass browser SOP protections and execute unauthorized commands against local Neo4j instances. This could lead to unauthorized data access, data manipulation, or disruption of graph database services. Organizations handling sensitive or regulated data (e.g., financial, healthcare, government) could face data breaches, compliance violations (such as GDPR), and operational disruptions. Since the attack requires user interaction (visiting a malicious website), phishing or social engineering campaigns could be used to target employees. The lack of patches increases the window of exposure. The impact is particularly critical in environments where Neo4j is used for critical data analytics, identity management, or infrastructure orchestration. The vulnerability could also be exploited to pivot into internal networks if Neo4j instances have broader connectivity.

1. Immediate mitigation should include restricting access to the Neo4j Cypher MCP server to trusted networks and localhost only, using firewall rules or network segmentation to prevent external access. 2. Disable or restrict browser-based access to the MCP server where possible, or require strong authentication and origin validation at the application level. 3. Educate users about the risks of visiting untrusted websites and implement browser security policies that limit DNS rebinding attacks, such as DNS pinning or using browser extensions that block suspicious DNS behavior. 4. Monitor network traffic for unusual DNS queries or rebinding patterns targeting local IP addresses. 5. Apply strict Content Security Policies (CSP) and SameSite cookie attributes to reduce cross-origin risks. 6. Follow Neo4j vendor advisories closely and apply patches or updates as soon as they become available. 7. Consider deploying web application firewalls (WAFs) or endpoint protection solutions that can detect and block DNS rebinding or unauthorized local requests. 8. Review and harden origin validation logic in custom integrations or extensions interacting with the MCP server.