What is the CVSS score of CVE-2025-66414?

CVE-2025-66414 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mcp Typescript Sdk are affected by CVE-2025-66414?

The MCP TypeScript SDK contains a DNS rebinding vulnerability that could allow attackers to bypass security controls and access local MCP servers through malicious websites.. A patch is available.

How to fix or mitigate CVE-2025-66414?

Within 24 hours: Identify all applications and services using MCP TypeScript SDK versions prior to 1.24.0, particularly those deployed with HTTP-based servers. Within 7 days: Apply the patch to upgrade all affected instances to version 1.24.0 or later, prioritizing production systems. Within 30 days: Conduct a security review of all MCP server deployments to ensure DNS rebinding protection is explicitly enabled and authentication is implemented per MCP security best practices.

Mcp Typescript Sdk CVE-2025-66414

EUVD-2025-200274 HIGH

Initialization of a Resource with an Insecure Default (CWE-1188)

2025-12-02 security-advisories@github.com

GHSA-w48q-cv73-mx4w

Authentication Bypass Mcp Typescript Sdk

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200274

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

Patch released

Mar 15, 2026 - 14:04 nvd

Patch available

CVE Published

Dec 02, 2025 - 19:15 nvd

HIGH 8.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

42 npm packages depend on @modelcontextprotocol/sdk (34 direct, 9 indirect)

Ecosystem-wide dependent count for version 1.24.0.

DescriptionGitHub Advisory

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0.

AnalysisAI

A security vulnerability in MCP TypeScript SDK (CVSS 8.1) that allows dns rebinding protection. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 8.1 indicates high severity. Affects MCP TypeScript SDK.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2025-66414 vulnerability details – vuln.today

Back