Model Context Protocol Python SDK DNS Rebinding Vulnerability on Localhost Servers

A vulnerability exists in the Model Context Protocol (MCP) Python SDK, specifically in versions prior to 1.23.0, where DNS rebinding protection is not enabled by default for HTTP-based servers. This issue can be exploited when an MCP server is hosted on localhost without authentication, using FastMCP with streamable HTTP or SSE transport, and without configured TransportSecuritySettings. In such scenarios, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to access resources or invoke tools on the MCP server on behalf of the user. It is important to note that running HTTP-based MCP servers locally without authentication is discouraged by MCP security best practices. This vulnerability does not impact servers using stdio transport.

Impact

Exploitation of this vulnerability could lead to unauthorized access to tools and resources on the local MCP server, bypassing same-origin policy restrictions.

Reproduction

To reproduce this vulnerability, set up an HTTP-based MCP server using FastMCP on localhost without authentication. Ensure that the server is configured to use streamable HTTP or SSE transport, and do not apply any TransportSecuritySettings. Once the server is running, a malicious website can exploit DNS rebinding to send requests to the local server, bypassing same-origin policy restrictions.

Remediation

Update the Model Context Protocol Python SDK to version 1.23.0 or later, which automatically enables DNS rebinding protection for localhost servers. For custom low-level server configurations using StreamableHTTPSessionManager or SseServerTransport, explicitly configure TransportSecuritySettings when running an unauthenticated server on localhost.