SB2025121831 - Security restrictions bypass in MCP Python SDK

Description

This security bulletin contains information about 1 security vulnerability.

1) Insecure dfefault initialization of resource (CVE-ID: CVE-2025-66416)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to software does not enable DNS rebinding protection by default for HTTP-based servers. A remote attacker can trick the victim into visiting a malicious website and to bypass same-origin policy restrictions by exploiting DNS rebinding and initiate requests to the local MCP server.

Successful exploitation of the vulnerability requires that an HTTP-based MCP server is running on the localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings.

Remediation

Install update from vendor's website.

References

• https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99
• https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f