MCP Java SDK DNS Rebinding Vulnerability Allowing Unauthorized Access to Private Servers

A DNS rebinding vulnerability has been identified in the MCP Java SDK, prior to version 1.0.0. This vulnerability allows an attacker to access a locally or network-private MCP server through a victim's browser, either local or network-adjacent. Exploitation enables the attacker to make tool calls to the server as if they were a locally running MCP-connected AI agent. The issue arises from a lack of Origin header validation, violating the MCP specification, which requires servers to validate the Origin header on all incoming connections to prevent DNS rebinding attacks.

Impact

Exploitation allows unauthorized access to private or local MCP servers, enabling attackers to make tool calls as if they were a connected AI agent.

Remediation

Users can update to MCP Java SDK version 1.0.0, which addresses the vulnerability by implementing proper Origin header validation. Alternatively, MCP servers can be run behind a reverse proxy that validates the Host and Origin headers, or by using a framework that enforces strict CORS and Origin validation, such as Spring AI.