The vulnerability identified as CVE-2025-66414 affects the Model Context Protocol (MCP) TypeScript SDK versions earlier than 1.24.0. MCP is a protocol used for communication between servers and clients, and its TypeScript SDK facilitates development of these components. The core issue is the insecure default initialization of the DNS rebinding protection feature in HTTP-based MCP servers. DNS rebinding is a technique where an attacker manipulates DNS responses to circumvent the browser's same-origin policy, allowing malicious web pages to interact with local network services. In this case, if an MCP server is running locally on HTTP without authentication and uses either StreamableHTTPServerTransport or SSEServerTransport, and the enableDnsRebindingProtection flag is not explicitly enabled, an attacker can exploit DNS rebinding to send unauthorized requests to the local MCP server. This could lead to unauthorized invocation of tools or access to sensitive resources exposed by the MCP server, effectively allowing actions on behalf of the user. The vulnerability does not impact MCP servers using stdio transport, which are not susceptible to DNS rebinding attacks. The issue was addressed in version 1.24.0 of the SDK by enabling DNS rebinding protection by default, mitigating the risk. The CVSS 4.0 score of 7.6 reflects a high severity, with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact on confidentiality and integrity is high, while availability is not affected. No known exploits are currently reported in the wild. Best practices recommend not running HTTP-based MCP servers locally without authentication, which further reduces risk.

For European organizations, the impact of this vulnerability can be significant if they deploy MCP TypeScript SDK-based HTTP servers locally without authentication and have not updated to version 1.24.0 or later. Attackers exploiting this vulnerability can bypass browser same-origin policies via DNS rebinding to access or manipulate local MCP services, potentially leading to unauthorized execution of commands or access to sensitive data. This could compromise confidentiality and integrity of local resources and tools interfaced through MCP servers. Organizations involved in software development, automation, or services relying on MCP for local inter-process communication are particularly at risk. The exploitation requires user interaction through a malicious website, which means phishing or social engineering could be used as attack vectors. While no widespread exploitation is reported yet, the vulnerability’s ease of exploitation and high impact necessitate prompt attention. The risk is heightened in environments where local MCP servers are run without authentication, contrary to recommended security practices. European organizations with stringent data protection regulations (e.g., GDPR) must consider the potential data confidentiality breaches and operational disruptions caused by this vulnerability.

European organizations should immediately upgrade all MCP TypeScript SDK instances to version 1.24.0 or later, where DNS rebinding protection is enabled by default. For existing deployments, verify that the enableDnsRebindingProtection flag is explicitly set to true for all HTTP-based MCP servers. Avoid running MCP servers locally without authentication; implement strong authentication mechanisms to restrict access. Where possible, prefer using stdio transport for MCP servers, as it is not vulnerable to this issue. Conduct security audits to identify any MCP servers running on localhost without proper protections. Educate developers and system administrators about the risks of DNS rebinding and enforce secure coding and deployment practices. Implement network-level protections such as DNS filtering and browser security policies to reduce exposure to malicious DNS responses. Monitor network traffic and logs for unusual requests originating from web browsers to local MCP servers. Finally, incorporate this vulnerability into organizational vulnerability management and incident response plans to ensure timely detection and remediation.