N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64443

CVE-2025-64443: Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode

Impact

When ran in sse or streaming mode (--transport), the Docker MCP Gateway is vulnerable to a DNS rebinding attack.

Vulnerability allows for Browser-Based exploitation of any MCP servers that are executing within the Docker MCP Gateway. Any tools or other features exposed by MCP servers can be manipulated by an attacker who is able to get a victim to visit a malicious website, or if a victim is served a malicious advertisement.

The MCP Gateway is not prone to this attack when started in its default stdio mode, which does not listen on any network ports.

Patches

Patch available in version v0.28.0

Workarounds

Do not start the MCP gateway in sse or streaming mode (use default stdio)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64443

CVE-2025-64443:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/docker/mcp-gateway	go	<= 0.27.0	0.28.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a DNS rebinding attack in the Docker MCP Gateway when it's configured to run in sse or streaming mode. In these modes, the gateway starts an HTTP server to listen for client connections. The root cause of the vulnerability is that these HTTP servers did not have any authentication mechanism. A malicious website visited by a user could use DNS rebinding to make requests to the locally running gateway, bypassing the browser's same-origin policy and gaining control over the MCP servers managed by the gateway.

The analysis of the patch commit fe073985c8eb6e0c9317d2f198c07686f70ea06d confirms this. The patch introduces an authentication middleware (authenticationMiddleware) that enforces Bearer token authentication for all endpoints except /health. The startSseServer and startStreamingServer functions in pkg/gateway/transport.go were modified to apply this middleware to their HTTP handlers. These two functions are therefore identified as the core of the vulnerability, as they were responsible for creating the insecure servers. The Run function in pkg/gateway/run.go is the orchestrator that, based on the configuration, decides to call these vulnerable functions, making it a key part of the exploitation path.

Vulnerable functions

gateway.Gateway.Run

pkg/gateway/run.go

The `Run` function is the entry point that reads the user-provided 'transport' option and, based on its value, starts the appropriate server. If the transport is set to 'sse' or 'streaming', it calls `startSseServer` or `startStreamingServer` respectively, which, prior to the patch, would start an unauthenticated HTTP server, making it vulnerable to DNS rebinding attacks.

gateway.Gateway.startSseServer

pkg/gateway/transport.go

This function starts an HTTP server for Server-Sent Events (SSE). Before the patch, the server was started with a handler that did not perform any authentication. This allowed any website, through a DNS rebinding attack, to connect to and interact with the MCP gateway. The patch fixes this by wrapping the handler in an `authenticationMiddleware`.

gateway.Gateway.startStreamingServer

pkg/gateway/transport.go

This function starts an HTTP server for streaming transport. Before the patch, the server was started with a handler that did not perform any authentication. This allowed any website, through a DNS rebinding attack, to connect to and interact with the MCP gateway. The patch fixes this by wrapping the handler in an `authenticationMiddleware`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64443: Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode

Impact

Patches

Workarounds

CVE-2025-64443:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

N/A

N/A

CVE-2025-64443: Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode

Impact

Patches

Workarounds

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI