DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FVH2-GM75-J4J7: CVE-2026-42559: DNS Rebinding and CSRF in Model Context Protocol (MCP) HTTP Transport

#security #cve #cybersecurity

CVE-2026-42559: DNS Rebinding and CSRF in Model Context Protocol (MCP) HTTP Transport

Vulnerability ID: GHSA-FVH2-GM75-J4J7
CVSS Score: 8.8
Published: 2026-05-18

The Model Context Protocol (MCP) Rust SDK (rmcp), a transitive dependency of the dynoxide database proxy, contains a high-severity vulnerability in its streamable HTTP server transport. The component fails to properly validate incoming HTTP Host headers, permitting DNS rebinding and Cross-Origin Request Forgery (CSRF) attacks against locally running database proxies.

TL;DR

A missing Host header validation in the rmcp HTTP transport allows attackers to execute arbitrary MCP tools on local dynoxide instances via DNS rebinding, leading to unauthenticated local database access.

⚠️ Exploit Status: POC

Technical Details

  • CVSS Score: 8.8
  • EPSS Score: 0.00018
  • CWE ID: CWE-346, CWE-350
  • Attack Vector: Network (DNS Rebinding)
  • Exploit Status: Proof of Concept
  • Impact: Data Exfiltration and Manipulation

Affected Systems

  • dynoxide-rs (crates.io)
  • dynoxide (npm)
  • rmcp (Model Context Protocol Rust SDK)
  • dynoxide: 0.9.3 - 0.9.12 (Fixed in: 0.9.13)
  • rmcp: < 1.4.0 (Fixed in: 1.4.0)

Code Analysis

Commit: 8e22aa2

Fix: Add validate_dns_rebinding_headers to streamable HTTP server transport tower layer.

fn validate_dns_rebinding_headers(headers: &HeaderMap, config: &StreamableHttpServerConfig) -> Result<(), BoxResponse> { ... }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the dynoxide binary to version 0.9.13 or later.
  • Upgrade the rmcp crate dependency to version 1.4.0 or later.
  • Disable the HTTP transport by using the default stdio transport (dynoxide mcp without --http).

Remediation Steps:

  1. Identify all local installations of dynoxide.
  2. Update the dynoxide package using cargo install dynoxide-rs --force or npm update dynoxide.
  3. Verify the version by running dynoxide --version.
  4. Ensure start scripts do not include the --http flag if using older versions.

References

Read the full report for GHSA-FVH2-GM75-J4J7 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)