CVE-2025-64443 is a vulnerability categorized under CWE-749 (Exposed Dangerous Method or Function) affecting docker's MCP Gateway software versions earlier than 0.28.0. MCP Gateway facilitates the deployment and operation of MCP servers and supports multiple transport modes, including stdio, sse, and streaming. The vulnerability specifically manifests when MCP Gateway runs in sse or streaming transport modes, which listen on network ports and are susceptible to DNS rebinding attacks. DNS rebinding is a technique that tricks a victim's browser into bypassing same-origin policies by resolving a domain name to different IP addresses, allowing attackers to interact with internal network services. In this case, an attacker can entice a user to visit a malicious website or be served a malicious advertisement, which then exploits the DNS rebinding flaw to access MCP servers behind the gateway. This access enables the attacker to manipulate tools or features exposed by those MCP servers, potentially leading to unauthorized actions or data exposure. The default stdio mode does not listen on network ports and is therefore not vulnerable. The vulnerability has a CVSS 4.0 base score of 7.3, indicating high severity, with network attack vector, low attack complexity, no privileges required, but user interaction needed. The impact on confidentiality is low, but integrity and availability impacts are high, with high scope and security requirements. No known exploits have been reported in the wild as of the publication date. The issue is resolved in MCP Gateway version 0.28.0, which should be adopted promptly to mitigate the risk.

For European organizations, this vulnerability poses a significant risk especially to those deploying MCP Gateway in sse or streaming modes within their container orchestration or microservices infrastructure. Successful exploitation can lead to unauthorized manipulation of MCP servers, potentially disrupting critical services or altering configurations, thereby impacting service integrity and availability. Confidential data exposure risk is lower but not negligible if attacker-controlled commands access sensitive information. The requirement for user interaction (visiting a malicious site or ad) means phishing or social engineering campaigns could be leveraged. Organizations in sectors such as finance, healthcare, manufacturing, and critical infrastructure that rely on containerized environments and MCP Gateway for deployment automation are particularly vulnerable. The vulnerability could facilitate lateral movement within internal networks or serve as a foothold for further attacks. Given the high adoption of Docker and container technologies across Europe, the threat surface is substantial. The absence of known exploits in the wild provides a window for proactive mitigation, but the ease of exploitation via browser-based vectors necessitates urgent attention.

1. Upgrade MCP Gateway to version 0.28.0 or later immediately to eliminate the vulnerability. 2. If upgrading is not immediately feasible, configure MCP Gateway to run exclusively in stdio mode, which is not vulnerable as it does not listen on network ports. 3. Implement network-level protections such as DNS rebinding mitigations on corporate DNS resolvers and firewalls, including enforcing strict same-origin policies and blocking suspicious DNS responses. 4. Employ web filtering and ad-blocking solutions to reduce exposure to malicious websites and advertisements that could trigger exploitation. 5. Educate users about the risks of visiting untrusted websites and the dangers of phishing campaigns that could lead to exploitation. 6. Monitor network traffic for unusual connections to MCP Gateway ports, especially from internal hosts that may have been compromised via browser-based attacks. 7. Conduct regular security assessments and penetration tests focusing on container orchestration components and gateway services. 8. Apply strict access controls and network segmentation to limit exposure of MCP Gateway instances to only trusted networks and users.