Overview
DNS rebinding vulnerability in the Neo4j MCP Cypher server (versions 0.2.2-0.3.1) bypasses the browser's Same-Origin Policy, enabling unauthorized tool invocations and complete database takeover of locally running Neo4j instances. CVSS 7.4.
Who Is Affected
Reported via GitHub Security Advisory GHSA-vcqx-v2mg-7chx. Affects developers and organizations running the Neo4j MCP server locally alongside Neo4j graph databases.
Where It Exists
The vulnerability is in the mcp-neo4j server package's SSE transport. It binds to localhost without Host header validation, enabling DNS rebinding attacks from malicious websites.
When It Was Found
Published October 13, 2025. Affects versions 0.2.2 through 0.3.1. Fixed in v0.4.0.
How It Works
A malicious website performs DNS rebinding to pivot to the local Neo4j MCP server. Once connected, the attacker can invoke Cypher query tools to read, modify, or delete any data in the Neo4j database. Since Neo4j is commonly used for knowledge graphs, identity management, and recommendation engines, the data is often highly sensitive.
Impact
Complete takeover of the local Neo4j database. Attackers can execute arbitrary Cypher queries to exfiltrate all graph data, modify records, delete databases, or inject malicious nodes/relationships. For organizations using Neo4j for identity or access management, this could enable privilege escalation in connected systems.
Mitigation
Update to mcp-neo4j v0.4.0 or later. Implement Host header validation and CORS restrictions. Require authentication tokens for MCP connections. Restrict the Neo4j user account used by the MCP server to read-only access where possible.