AI
The 19-Year-Old Browser Bug That Breaks MCP
Browsers let malicious websites talk to localhost servers without prompting. This is a 19-year-old behavior in Mozilla’s bug tracker. MITER refused to assign a CVE, calling it “acquired by the W3C standard.” Leitschuh disagrees. The same origin policy blocks piratebay.com from attacking mybank.com, but it does not block a malicious site from attacking a server running on 127.0.0.1. Simple GET and POST requests bypass pre-flight checks. Developers do not know this.
DNS Rebinding: Bypassing the Same Origin Policy in Seconds
DNS rebinding lets an attacker send complex requests to local servers. A malicious DNS server responds with multiple IP answers. The second answer is 127.0.0.1. The browser fails over to localhost in about 3 seconds in Chrome. NCC Group’s Singularity of Origin tool automates the attack. Leitschuh used it to target MCP servers. The MCP specification warns implementers to validate the Origin header. The TypeScript SDK shipped with DNS rebinding “disabled by default for backwards compatibility.”
Eight MCP Servers Hacked, One Still Unpatched
Leitschuh hacked the MCP protocol server everything, Google OSS-Fuzz, Google Cloud Run, Google Toolbox for databases, Apollo GraphQL, Docker MCP Gateway, and AWS Labs. Google OSS-Fuzz had a remote code execution vulnerability through an MCP tool. Google awarded $200 per bug. Docker paid a t-shirt. Google Toolbox ships with a warning and an opt-in patch. Leitschuh gave Google over 90 days. The patch is not enabled by default. As of the talk, Google Toolbox is an 0-day.
The Fix: A Tier System and a Curl Command
Anthropic added a tier system for API maturity. Tier 1 is guarded. Tier 2 and 3 are not guaranteed. Anthropic assigned a CVE for the TypeScript SDK and awarded a $1,500 bounty. Leitschuh’s total: $2,100 and a t-shirt. To test your server, run a curl command with a mismatched Host header. If the server responds, it is vulnerable. Browsers set the Host header. MCP clients do not. Chrome and Edge prompt users. Firefox and Safari do not. Brave fixed the issue in 2022 but holds 1.63% market share.
Q&A
Does this attack work against dev servers too? Yes, any local server with access to developer data is vulnerable. ▶ Watch (25:20)
Notable Quotes
“That little line right there attached to this. Without these protections, attackers could use DNS rebinding to interact with local MCP servers from remote websites.” Jonathan Leitschuh · ▶ Watch (15:11)
“DNS rebinding is disabled by default for backwards compatibility. If you’re running this server locally, make sure you set these flags.” Jonathan Leitschuh · ▶ Watch (15:43)
“I gave Google well over 90 days to fix this and they did not.” Jonathan Leitschuh · ▶ Watch (20:30)
Key Takeaways
- DNS rebinding bypasses the same origin policy in 3 seconds on Chrome.
- The MCP TypeScript SDK shipped with protections disabled by default.
- Google Toolbox for databases remains unpatched as an 0-day.
About the Speaker(s)
Jonathan Leitschuh is an open source software security researcher and self-described Vulnerability Janitor. He was the inaugural Dan Kaminsky Fellow at HUMAN Security and later led research for OpenSSF’s Alpha-Omega project. He is best known for his 2019 Zoom zero-day disclosure.