CVE-2025-64443 Overview
CVE-2025-64443 is a DNS rebinding vulnerability in Docker MCP Gateway, a tool that runs and deploys Model Context Protocol (MCP) servers. The flaw affects versions 0.27.0 and earlier when the gateway operates in sse or streaming transport mode. An attacker who lures a victim to a malicious website or serves a malicious advertisement can pivot the victim's browser to attack MCP servers running behind the gateway. The vulnerability falls under [CWE-749: Exposed Dangerous Method or Function]. Docker released version 0.28.0 to address the issue.
Critical Impact
Browser-based attackers can manipulate tools and features exposed by MCP servers behind the gateway, potentially executing privileged operations on behalf of the victim.
Affected Products
- Docker MCP Gateway versions 0.27.0 and earlier
- Gateway instances running in sse transport mode
- Gateway instances running in streaming transport mode
Discovery Timeline
- 2025-12-03 - CVE-2025-64443 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2025-64443
Vulnerability Analysis
MCP Gateway exposes a local HTTP listener when configured in sse (Server-Sent Events) or streaming transport mode. The listener lacks validation of the HTTP Host header and the request Origin. This omission allows DNS rebinding attacks where an attacker-controlled domain initially resolves to a public IP, then rebinds to a loopback or internal address. The victim's browser, treating the attacker's domain as the same origin throughout, sends authenticated requests to the local gateway.
Once the browser has been rebound, JavaScript from the malicious page can issue cross-origin requests to the MCP gateway as if it were a trusted local client. This grants the attacker the ability to invoke any tool or capability exposed by MCP servers running behind the gateway. The gateway running in the default stdio mode is unaffected because that mode does not bind a network socket.
Root Cause
The root cause is missing host and origin validation on the network-facing transports. Without an allowlist of permitted Host header values and proper Origin checks, the gateway accepts requests from any browser context that can resolve to its listening address.
Attack Vector
Exploitation requires user interaction. The victim must visit an attacker-controlled web page or load a malicious advertisement. The attacker then leverages short-TTL DNS records to swap the resolved IP from an external host to 127.0.0.1 or another address where the gateway listens.
// Patch in pkg/gateway/transport.go (Docker MCP Gateway v0.28.0)
import (
"context"
+ "fmt"
"io"
"net"
"net/http"
+ "net/url"
"github.com/modelcontextprotocol/go-sdk/mcp"
Source: Docker MCP Gateway commit 6b076b2. The patch introduces URL parsing and formatted validation logic used to verify request hosts before processing transport requests.
Detection Methods for CVE-2025-64443
Indicators of Compromise
- Unexpected HTTP requests to the MCP gateway listener originating from browser User-Agent strings rather than known MCP clients.
- Requests carrying Host headers that do not match the gateway's configured bind address or localhost.
- MCP tool invocations occurring during user web-browsing sessions without corresponding workflow activity.
Detection Strategies
- Inspect gateway access logs for requests with mismatched Host headers or missing Origin headers.
- Correlate MCP tool invocation events with proxy or DNS telemetry showing recently rebound short-TTL domains.
- Monitor for outbound DNS queries from endpoint browsers resolving the same hostname to both public and private IP ranges within a short window.
Monitoring Recommendations
- Log all HTTP requests reaching the MCP gateway, including full Host, Origin, and Referer headers.
- Alert on processes binding to MCP gateway ports when transport is set to sse or streaming on multi-user systems.
- Track the deployed version of docker/mcp-gateway across hosts and flag any instance below 0.28.0.
How to Mitigate CVE-2025-64443
Immediate Actions Required
- Upgrade Docker MCP Gateway to version 0.28.0 or later on all hosts.
- Switch any non-essential deployments back to the default stdio transport, which is not affected.
- Restrict the gateway listener to 127.0.0.1 and place it behind host-based firewall rules.
Patch Information
Docker released version 0.28.0 containing commit 6b076b2479d8d1345c50c112119c62978d46858e, which adds host validation to the transport layer. Details are available in the Docker MCP Gateway Security Advisory GHSA-46gc-mwh4-cc5r.
Workarounds
- Run MCP Gateway only in the default stdio mode until upgrading is possible.
- Block browser access to the gateway port using local firewall rules or iptables policies that drop requests from non-loopback sources.
- Require an authentication token on the reverse proxy in front of the gateway and reject requests lacking a trusted Origin.
# Verify installed version and upgrade
docker mcp gateway version
docker pull docker/mcp-gateway:0.28.0
# Restrict the listener to loopback only when running sse/streaming mode
docker mcp gateway run --transport stdio
# Optional host firewall rule to block remote access to the gateway port
sudo iptables -A INPUT -p tcp --dport 8811 ! -s 127.0.0.1 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
