DNS rebinding attacks are a sophisticated exploitation technique that has silently threatened self-hosted services for years. In early 2025, the vulnerability took center stage when security researchers discovered that the Model Context Protocol's official SDKs—TypeScript, Python, Rust, and Go—disabled DNS rebinding protection by default or entirely on localhost deployments. The result: a malicious website could reach your local MCP server, invoke tools, and exfiltrate data without triggering a browser warning or CORS error.

This guide walks through the vulnerability, shows you exactly which SDK versions are vulnerable, and provides step-by-step fixes for every runtime environment.

What is DNS Rebinding?

DNS rebinding is a client-side attack where an attacker controls a malicious domain with specially configured DNS responses. Here's how it works:

  1. First request: Victim visits attacker's website (via phishing, normal browsing, or a compromised link). The browser resolves the attacker's domain to their public IP address, loads the malicious page, and JavaScript executes.
  2. DNS change: The attacker's DNS server changes its response for the same domain—now returning 127.0.0.1 (localhost).
  3. Second request: The browser makes another request to the same domain. Because the domain hasn't changed, the browser's same-origin policy treats the request as safe, even though the IP has silently rebind to localhost.

Local access: The request reaches the victim's local MCP server running on 127.0.0.1:5000 (or similar), bypassing network firewalls and the browser's normal cross-origin protections.

Why MCP matters: MCP servers bridge your AI tools with internal systems—databases, APIs, source code repositories. If an attacker reaches them, they can invoke tools, read sensitive data, or inject commands into your deployment pipeline.