ghsa-vcqx-v2mg-7chx
Vulnerability from github
Published
2025-09-11 23:26
Modified
2025-09-11 23:26
Severity ?
7.4 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Neo4j Cypher MCP server is vulnerable to DNS rebinding
Details

Impact

DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.

Patches

CORS Middleware added to Cypher MCP server v0.4.0 that blocks all web-based access by default.

Workarounds

If you cannot upgrade to v0.4.0 and above, use stdio mode.

References

Vendor Advisory https://www.cve.org/CVERecord?id=CVE-2025-10193

Credits We want to publicly recognize the contribution of Evan Harris from mcpsec.dev for reporting this issue and following the responsible disclosure policy.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mcp-neo4j-cypher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.2"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-10193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-11T23:26:00Z",
    "nvd_published_at": "2025-09-11T14:15:40Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nDNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances.\u0026nbsp;The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.\n\n### Patches\nCORS Middleware added to Cypher MCP server v0.4.0 that blocks all web-based access by default.\n\n### Workarounds\nIf you cannot upgrade to v0.4.0 and above, use stdio mode.\n\n### References\n[Vendor Advisory](https://neo4j.com/security/cve-2025-10193)\nhttps://www.cve.org/CVERecord?id=CVE-2025-10193 \n\nCredits\nWe want to publicly recognize the contribution of Evan Harris from [mcpsec.dev](https://mcpsec.dev/) for reporting this issue and following the responsible disclosure [policy](https://neo4j.com/trust-center/responsible-disclosure/).",
  "id": "GHSA-vcqx-v2mg-7chx",
  "modified": "2025-09-11T23:26:00Z",
  "published": "2025-09-11T23:26:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-vcqx-v2mg-7chx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10193"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j/pull/165"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j/commit/5b9fbdda6401668d7aa006daf7e644805c067c15"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.4.0"
    },
    {
      "type": "WEB",
      "url": "https://neo4j.com/security/cve-2025-10193"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": " Neo4j Cypher MCP server is vulnerable to DNS rebinding "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.