Lucene search
K

14 matches found

Github Security Blog
Github Security Blog
added 2026/04/01 9:9 p.m.13 views

DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost

The Model Context Protocol MCP Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origi...

8.1CVSS5.9AI score0.00455EPSS
Exploits0References6Affected Software1
Vulnrichment
Vulnrichment
added 2025/12/02 6:14 p.m.4 views

CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.23.0, tThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost...

7.6CVSS6.2AI score0.00463EPSS
Exploits0References2
OSV
OSV
added 2025/12/02 6:12 p.m.7 views

CVE-2025-66414 DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol MCP TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without...

7.6CVSS6.5AI score0.00463EPSS
Exploits0References4
OSV
OSV
added 2025/12/02 4:52 p.m.9 views

GHSA-9H52-P55H-VW2F Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

Description The Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured...

7.6CVSS6.8AI score0.00463EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2025/12/02 4:52 p.m.20 views

Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

Description The Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured...

8.1CVSS6.9AI score0.00463EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-6347

Malicious code in bioql PyPI...

6.2CVSS5.8AI score0.00363EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/05/22 7:35 a.m.8 views

CVE-2019-5464

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the urlblocker.rb which could result in SSRF where the library is utilized...

9.8CVSS6.5AI score0.02803EPSS
Exploits1References1
OSV
OSV
added 2022/07/02 12:0 a.m.25 views

GHSA-H9CW-7G8J-H66H Server-Side Request Forgery in link-preview-js

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery SSRF which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection...

5.5CVSS5.9AI score0.00363EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2022/07/02 12:0 a.m.39 views

Server-Side Request Forgery in link-preview-js

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery SSRF which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection...

6.2CVSS5.3AI score0.00363EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2022/07/01 8:0 p.m.30 views

CVE-2022-25876 Server-side Request Forgery (SSRF)

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery SSRF which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection...

6.2CVSS6.5AI score0.00363EPSS
Exploits1References3
CVE
CVE
added 2022/07/01 8:0 p.m.76 views

CVE-2022-25876

CVE-2022-25876 affects the npm package link-preview-js prior to version 2.1.16. The vulnerability is Server-side Request Forgery (SSRF) caused by flawed DNS rebinding protection, allowing an attacker to make arbitrary requests from the vulnerable host to the local network and read responses. Affe...

6.2CVSS5.6AI score0.00363EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2022/03/10 11:2 p.m.8 views

OPENSUSE-SU-2022:0079-1 Security update for minidlna

This update for minidlna fixes the following issues: minidlna was updated to version 1.3.1 boo1196814 - Fixed a potential crash in SSDP request parsing. - Fixed a configure script failure on some platforms. - Protect against DNS rebinding attacks. CVE-2022-26505 - Fix an socket leakage issue on...

7.4CVSS7.6AI score0.01578EPSS
Exploits0References4
Slackware Linux
Slackware Linux
added 2020/04/15 8:47 p.m.13 views

[slackware-security] bind

New bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/bind-9.11.18-i586-1slack14.2.txz: Upgraded. This update fixes a security issue: DNS rebinding protection was ineffective wh...

6.9AI score
Exploits0
OSV
OSV
added 2020/01/28 3:15 a.m.20 views

CVE-2019-5464

A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the urlblocker.rb which could result in SSRF where the library is utilized...

9.8CVSS6.5AI score
Exploits0References3
Rows per page
Query Builder