How to fix CVE-2025-66414?

Within 24 hours: Identify all applications and services using MCP TypeScript SDK versions prior to 1.24.0, particularly those deployed with HTTP-based servers. Within 7 days: Apply the patch to upgrade all affected instances to version 1.24.0 or later, prioritizing production systems. Within 30 days: Conduct a security review of all MCP server deployments to ensure DNS rebinding protection is explicitly enabled and authentication is implemented per MCP security best practices.

Is Mcp Typescript Sdk affected by CVE-2025-66414?

The MCP TypeScript SDK contains a DNS rebinding vulnerability that could allow attackers to bypass security controls and access local MCP servers through malicious websites.

CVE-2025-66414

EUVD-2025-200274 HIGH

2025-12-02 [email protected]

GHSA-w48q-cv73-mx4w

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200274

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

Patch Released

Mar 15, 2026 - 14:04 nvd

Patch available

CVE Published

Dec 02, 2025 - 19:15 nvd

HIGH 8.1

Description

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0.

Analysis

A security vulnerability in MCP TypeScript SDK (CVSS 8.1) that allows dns rebinding protection. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical Context

Vulnerability type not specified by vendor. CVSS 8.1 indicates high severity. Affects MCP TypeScript SDK.

Affected Products

['MCP TypeScript SDK']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

CVE-2025-66414 vulnerability details – vuln.today

Back

CVE-2025-66414

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-66414

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code