Your vulnerability scan results could leak to attackers via DNS rebinding. CVE-2025-59163 affects SafeDep Vet MCP Server running SSE transport. The attack: A single website visit. The payload: Your entire package vulnerability database. The fix: Already shipped. Here's how it

This incident is a reminder of the security challenges posed by locally exposed developer tools. Robust Host header validation and CSRF protections are crucial. For a full technical breakdown, read the advisory: https://t.co/aMnkVJJDq7

Shoutout to the @neo4j security team for a stellar communication and a quick turn around time on a security patch. I am grateful for their excellent triaging.

If you are using Neo4j MCP Cypher Server versions 0.2.2 through 0.3.1, you are vulnerable. An immediate update to the patched version, v0.4.0, is recommended.

The attack works when a user with a vulnerable server running locally visits a malicious webpage. The page performs the DNS rebind, tricking the browser into communicating directly with the local Neo4j service on the attacker's behalf.

An attacker can execute Cypher queries to exfiltrate, modify, or delete all data within the user's local Neo4j database. Neo4j rated this vulnerability as CVSS 4.0 High severity (7.4).

The Cypher MCP Server provides a local HTTP endpoint to run Cypher queries. The vulnerability allows a malicious website to send arbitrary queries to this endpoint.

New Security Advisory: A High severity DNS rebinding vulnerability (CVE-2025-10193) in the Neo4j MCP Cypher Server allows for complete database takeover by remote attackers. The breakdown:

Some companies are friendly to submit disclosures to. Others are so abrasive I do not expect to ever have another positive word to say about them. There may be many downstream users of the second batch of companies. However, the pain of helping them is not worth it. Sorry.

Evals Evals Evals I am on Day 5 of AI Evals for Engineers & I am having a blast I learned about: - Axial Coding - Open Coding - LLM as Judge - Error Analysis - Golden Datasets - Perturbing Traces - Guardrails Versus Evals - Programmatic Evaluators What will next week hold?

CC always leading the pack

What is your favorite type of programming? Mine is deleting a feature someone thought would be useful. But the data shows that no one wants it. Less maintenance work. More time to focus on value delivery.

AI Evals for Engineers & PMs - Day 3 This course is high value. I had no expectations. I have already been blown away. Feeling blessed be in Oct cohort as the infinite repeats will be my play. The community questions really drive much of my learning.

Not your keys not your crypto is a common saying. The new attack vectors via MCP servers add a new layer to this. Use of your keys, by the software you give too much trust to, again leads to the scenario of: Not your crypto.

Shoutout to @safedepio for the rapid response and coordinated disclosure. Read the full report & mitigation guidance: https://t.co/c1Mu8SIlKo

Important lesson for MCP server developers - network-based transports need careful HTTP security header validation. Default to: - localhost binding - stdio transport when possible - Host/Origin validation for SSE/HTTP

SafeDep's response was 10 / 10 Aug 30: Report submitted Sep 01: Acknowledged Sep 02: PR raised with fix Sep 05: v1.12.5 released (5 days!) Sep 29: GHSA published v1.12.5 adds Host/Origin header validation. Update now!

Despite data exfiltration potential, it's rated Low (CVSS 2.1) because: - Victim must visit malicious site while MCP server is running - SSE transport must be explicitly enabled (not default) - Requires browser with EventSource support - Timing window needed

What gets exfiltrated? - Package names & versions in your projects - Known CVEs affecting your dependencies - Vulnerability severity scores - Supply chain intelligence Perfect recon for targeted attacks against your infrastructure.

Vet's SSE transport mode lacked Host/Origin header validation. When running vet server mcp --server-type sse, an attacker could: - Establish an MCP session via DNS rebinding - Invoke the sql_query tool - Execute arbitrary READ queries against your scan database

DNS rebinding is a clever trick: 1. Victim visits attacker(.)com 2. DNS initially points to attacker's server 3. After browser caches the origin, DNS changes to localhost 4. Now attacker(.)com JS talks to victim's localhost 5. Browser's Same-Origin Policy is bypassed