The Model Context Protocol (MCP) Python SDK, known as 'mcp' on PyPI, implements the MCP for local inter-process communication. Prior to version 1.23.0, the SDK did not enable DNS rebinding protection by default for HTTP-based MCP servers. DNS rebinding is an attack technique that manipulates the victim's browser to bypass same-origin policy restrictions by resolving a domain name to a local IP address after initial DNS resolution. When an MCP server is run locally on localhost without authentication, using FastMCP with streamable HTTP or Server-Sent Events (SSE) transport, and without configuring TransportSecuritySettings, a malicious website can exploit this DNS rebinding vulnerability. This enables the attacker to send unauthorized requests to the local MCP server, potentially invoking tools or accessing sensitive resources exposed by the server under the user's context. The vulnerability does not affect MCP servers using stdio transport, which is a different communication mechanism. The issue stems from insecure default initialization of security settings (CWE-1188), specifically the lack of DNS rebinding protection by default. The vulnerability has a CVSS 4.0 score of 7.6 (high severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and partial impact on confidentiality and integrity. The vulnerability was publicly disclosed on December 2, 2025, and fixed in MCP Python SDK version 1.23.0. Best practices recommend not running HTTP-based MCP servers locally without authentication or proper transport security configurations.

For European organizations, this vulnerability poses a significant risk especially for developers, data scientists, or applications that use the MCP Python SDK locally for model serving or inter-process communication. If an attacker can lure a user to a malicious website, they could exploit DNS rebinding to bypass browser same-origin policies and interact with the local MCP server. This could lead to unauthorized invocation of local tools or access to sensitive data or resources exposed by the MCP server, potentially compromising confidentiality and integrity of local operations. The impact is heightened in environments where MCP servers are run without authentication or transport security, which may be common in development or testing environments. While the vulnerability requires user interaction, the widespread use of Python and MCP in AI/ML workflows in Europe increases the attack surface. Organizations handling sensitive or regulated data (e.g., financial, healthcare, or governmental sectors) could face data breaches or operational disruptions. The vulnerability does not affect availability directly but could lead to indirect impacts if exploited for lateral movement or privilege escalation.

European organizations should immediately upgrade the MCP Python SDK to version 1.23.0 or later, where DNS rebinding protection is enabled by default. For environments where upgrading is not immediately feasible, administrators should explicitly configure TransportSecuritySettings to enable DNS rebinding protection and enforce authentication on all HTTP-based MCP servers. Avoid running MCP servers on localhost without authentication or transport security, especially in production or sensitive environments. Developers should consider switching to stdio transport for MCP servers where possible, as it is not affected by this vulnerability. Network-level mitigations include restricting outbound DNS queries and monitoring for suspicious DNS rebinding patterns. Security teams should educate users about the risks of visiting untrusted websites while running local MCP servers. Finally, incorporate MCP server security checks into CI/CD pipelines and vulnerability management programs to ensure compliance with best practices.