Overview
Both the official MCP TypeScript SDK (< 1.24.0) and Python SDK (< 1.23.0) lack DNS rebinding protection for localhost-bound SSE and StreamableHTTP servers, allowing malicious websites to pivot to local MCP servers through the browser.
Who Is Affected
Reported via GitLab security advisory. Affects all developers running local MCP servers built with the official SDKs, which is the standard development setup for MCP server builders.
Where It Exists
The vulnerability is in the official @modelcontextprotocol/sdk (TypeScript) and mcp Python package. Both fail to validate the Host header on incoming requests, allowing DNS rebinding attacks against localhost-bound servers.
When It Was Found
CVEs assigned in July 2025. Fixed in TypeScript SDK 1.24.0+ and Python SDK 1.23.0+. The vulnerability affected all prior versions of both SDKs.
How It Works
An attacker hosts a malicious website that performs DNS rebinding: the domain initially resolves to the attacker's server, then re-resolves to 127.0.0.1. The browser, believing it's still communicating with the attacker's domain, sends requests that actually hit the local MCP server. Since the SDK doesn't validate the Host header, these cross-origin requests are processed as legitimate.
Impact
Remote websites can interact with local MCP servers as if they were the legitimate client. This enables unauthorized tool invocation, data exfiltration from connected services, and potential code execution depending on the server's capabilities. Particularly dangerous because it bridges the web-to-local boundary.
Mitigation
Update to TypeScript SDK >= 1.24.0 and Python SDK >= 1.23.0 immediately. These versions add Host header validation. Additionally, implement CORS restrictions, bind only to loopback interfaces, and add authentication tokens for local MCP server connections.