How serious is CVE-2025-66416?

This vulnerability has a CVSS score of 7.6 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2025-66416?

Yes, proof-of-concept exploit code for CVE-2025-66416 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2025-66416?

CVE-2025-66416 affects lfprojects mcp python sdk. Check the full CVE details for specific version information.

How do I fix CVE-2025-66416?

To remediate CVE-2025-66416, check for security patches from lfprojects. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2025-66416

High

|7.6

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker can exploit a flaw in the MCP Python SDK to send unauthorized requests to a local server running without authentication, potentially accessing sensitive resources or executing commands on behalf of the user. This vulnerability occurs only if the server is set up on localhost without proper security measures, making it critical to avoid running such servers without authentication.

Technical Description

The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.23.0.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,263($1K-$5K)

Vendor Response

Grade FPatched in 98 days

Quick Information

Published

Dec 2, 2025

4 months ago

Last Modified

Mar 10, 2026

28 days ago

Vendor

lfprojects

Product

mcp python sdk

Related Vulnerabilities

CVE-2026-27623High

An attacker with network access to the Valkey database can send a specially crafted request that causes the system to crash, disrupting service. This vulnerability affects versions 9.0.0 to 9.0.2, so it's crucial to upgrade to version 9.0.3 or ensure that only trusted users can access the system.

CVE-2026-21863High

An attacker with access to the Valkey database's clusterbus port can send a specially crafted packet that may crash the system, disrupting service. To exploit this vulnerability, the attacker must already have access to the clusterbus, so it's crucial to restrict access with proper network controls.

CVE-2025-67733High

This vulnerability allows a malicious user to inject harmful data into the responses sent to clients, which can corrupt or alter the information other users receive on the same connection. It affects specific versions of the Valkey database, and the issue arises from improper handling of errors in scripting commands.

CVE-2025-66414High

An attacker can exploit this vulnerability to send unauthorized requests to a local MCP server running on a user's machine, potentially accessing sensitive resources or tools. This can happen if the server is running without authentication on localhost and does not have DNS rebinding protection enabled, which is a risky setup that should be avoided.