Docker MCP Gateway DNS Rebinding Vulnerability in Versions Through 0.27.0

A DNS rebinding vulnerability has been identified in Docker MCP Gateway versions through 0.27.0. This issue arises when the gateway is operated in SSE or streaming transport mode, allowing an attacker to exploit MCP servers behind the gateway. The vulnerability can be triggered by getting a victim to visit a malicious website or interact with a harmful advertisement. Once exploited, the attacker could manipulate tools or features of the MCP servers. However, this vulnerability does not exist when the gateway is running in the default standard input mode, which does not open network ports.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of MCP servers and their exposed tools or features, potentially allowing for broader attacks or misuse of the MCP server capabilities.

Reproduction

To reproduce this vulnerability, run Docker MCP Gateway in versions through 0.27.0, specifically in SSE or streaming mode. Once the gateway is active, an attacker can lure a victim to a malicious website or serve them a harmful advertisement. When the victim interacts with the site or ad, the DNS rebinding attack will be executed, targeting the MCP servers behind the gateway.

Remediation

Users can upgrade to Docker MCP Gateway version 0.28.0 or later, which addresses the DNS rebinding vulnerability. If an immediate upgrade is not possible, the gateway can be run in the default standard input mode to avoid the vulnerability.