Overview
DNS rebinding vulnerability in the Vet MCP server's SSE transport allows external websites to interact with the locally running MCP server, bypassing browser Same-Origin Policy protections.
Who Is Affected
Reported by mcpsec.dev, a community project tracking MCP security advisories. Affects users running the Vet MCP server locally for AI-assisted development workflows.
Where It Exists
The vulnerability is in the Vet MCP server's SSE (Server-Sent Events) transport layer. The server binds to localhost but does not validate the Host header on incoming requests, enabling DNS rebinding attacks.
When It Was Found
Advisory published October 6, 2025 on mcpsec.dev.
How It Works
An attacker hosts a malicious website that performs DNS rebinding: the domain resolves first to the attacker's server, then re-resolves to 127.0.0.1. The browser's Same-Origin Policy is bypassed because the domain hasn't changed. Requests then reach the local Vet MCP server, which processes them as legitimate SSE connections, allowing the attacker to invoke tools remotely.
Impact
Remote websites can interact with the local Vet MCP server as an authenticated client. Depending on the tools available, this can lead to file access, code execution, data exfiltration, and other actions within the developer's local environment.
Mitigation
Add Host header validation to reject requests that don't originate from localhost/127.0.0.1. Implement CORS restrictions. Use authentication tokens for SSE connections. Follow the MCP SDK's DNS rebinding protection patterns introduced in later versions.