CVE-2025-59163

vet MCP Server SSE Transport DNS Rebinding Vulnerability

CVSS 2.1 LOWEPSS 0.4%CWE-350

In short

The vet security tool fails to validate HTTP headers when running as a server, allowing attackers on the same network to trick it into exposing scan database information through a DNS rebinding attack.

Technical detail

CVE-2025-59163 is a DNS rebinding vulnerability (CWE-350) in vet's MCP Server SSE transport layer affecting versions ≤1.12.4. The vulnerability stems from missing Host and Origin header validation; an attacker can rebind a domain to localhost and access the sqlite3 query MCP tool to exfiltrate scan database contents. Requires network access and default port configuration; fixed in v1.12.5.

Summary generated and translated by AI from the official description.

vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool. This issue is fixed in version 1.12.5.

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

safedep · vet

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/safedep/vet/commit/0ae3560ba11846375812377299fe078d45cc3d48 https://github.com/safedep/vet/releases/tag/v1.12.5 https://github.com/safedep/vet/security/advisories/GHSA-6q9c-m9fr-865m