CVE-2025-10193 Overview
CVE-2025-10193 is a DNS rebinding vulnerability affecting the Neo4j Cypher Model Context Protocol (MCP) server. The flaw allows malicious websites to bypass Same-Origin Policy (SOP) protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. Exploitation requires a user to visit an attacker-controlled website and remain there long enough for the DNS rebinding sequence to complete. Once rebinding succeeds, the attacker's browser-resident JavaScript can reach the loopback MCP service and invoke Cypher tooling as if it were a trusted local client. The vulnerability is classified under [CWE-346: Origin Validation Error].
Critical Impact
A successful attack grants a remote website the ability to issue arbitrary Cypher tool calls against the victim's local Neo4j MCP server, exposing graph data and enabling unauthorised database operations.
Affected Products
- Neo4j Cypher MCP server (mcp-neo4j-cypher) versions prior to v0.4.0
- Local Neo4j MCP instances exposed on loopback interfaces
- Developer workstations running the MCP server alongside browser sessions
Discovery Timeline
- 2025-09-11 - CVE-2025-10193 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-10193
Vulnerability Analysis
The Neo4j Cypher MCP server listens on a local network interface so that AI assistants and developer tools can issue Cypher queries through the Model Context Protocol. Browsers normally prevent cross-origin JavaScript from reaching such local services through the Same-Origin Policy. The server, however, does not validate the HTTP Host header or enforce origin checks on incoming requests. This omission permits a DNS rebinding attacker to bridge a malicious public origin to the local MCP endpoint.
Root Cause
The root cause is missing origin validation on the MCP HTTP transport. The server trusts any request that reaches its socket without confirming that the Host header, Origin header, or remote network identity match an expected local client. Because the attacker controls the DNS response served to the victim, the browser believes it is still communicating with the original malicious domain while the TCP connection terminates on the local Neo4j MCP service.
Attack Vector
The attacker hosts a page on a domain they control and configures the authoritative DNS server to return short time-to-live (TTL) records. The victim loads the page, and the initial DNS response resolves to the attacker's web server. After the page loads, the attacker's DNS rebinds the same hostname to 127.0.0.1 or another loopback address where the Neo4j MCP server listens. JavaScript on the page then issues fetch requests to the same origin, which the browser now routes to the local MCP server. Because the request origin still matches the attacker's domain from the browser's perspective, the Same-Origin Policy permits the call, and the MCP server accepts it without origin validation. The attacker can then invoke Cypher tools to read graph data, modify nodes, or perform other database operations within the user's authenticated MCP session.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-vcqx-v2mg-7chx and the Neo4j CVE-2025-10193 Report.
Detection Methods for CVE-2025-10193
Indicators of Compromise
- Inbound HTTP requests to the local MCP port carrying an external Host header that does not resolve to localhost or 127.0.0.1.
- Unexpected Cypher tool invocations originating from browser user agents rather than known MCP clients.
- Browser process network connections to the loopback Neo4j MCP port shortly after visiting an untrusted website.
Detection Strategies
- Inspect MCP server access logs for requests where the Host header references a public domain instead of a loopback identifier.
- Correlate browser DNS resolution patterns showing rapid TTL-driven changes from public IPs to 127.0.0.1 for the same hostname.
- Monitor for Cypher query patterns inconsistent with the user's normal development workflow.
Monitoring Recommendations
- Enable verbose request logging on the MCP server, including Host, Origin, and Referer headers.
- Forward developer endpoint telemetry to a centralised analytics platform to correlate browser activity with local service requests.
- Alert on any process other than approved MCP clients establishing connections to the MCP listener port.
How to Mitigate CVE-2025-10193
Immediate Actions Required
- Upgrade mcp-neo4j-cypher to version v0.4.0 or later, which adds origin validation against DNS rebinding.
- Restrict the MCP listener to 127.0.0.1 and avoid binding to wildcard interfaces such as 0.0.0.0.
- Avoid browsing untrusted websites in the same session where the Neo4j MCP server is running.
Patch Information
The fix is included in the GitHub Release mcp-neo4j-cypher v0.4.0. The release introduces Host header validation so that requests claiming a non-local hostname are rejected before any Cypher tool is invoked. Administrators should verify the deployed version with pip show mcp-neo4j-cypher or the equivalent package manager command.
Workarounds
- Place the MCP server behind a local authenticating proxy that enforces Host and Origin header allow-lists.
- Configure host firewall rules to block all non-loopback traffic to the MCP port.
- Stop the MCP server when it is not actively required by an AI assistant or developer tool.
# Example: restrict MCP server to loopback only and verify version
pip install --upgrade "mcp-neo4j-cypher>=0.4.0"
mcp-neo4j-cypher --host 127.0.0.1 --port 8000
# Linux host firewall rule to limit access to loopback
sudo iptables -A INPUT -p tcp --dport 8000 ! -i lo -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
