DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.
CORS Middleware added to Cypher MCP server v0.4.0 that blocks all web-based access by default.
If you cannot upgrade to v0.4.0 and above, use stdio mode.
Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-10193
Credits
We want to publicly recognize the contribution of Evan Harris from mcpsec.dev for reporting this issue and following the responsible disclosure policy.
| Score | Percentile |
|---|---|
| 0.02% | 6.06% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.4 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-vcqx-v2mg-7chx ↗ |
| CVE | CVE-2025-10193 ↗ |
| CWE id | Name |
|---|---|
| CWE-346 | Origin Validation Error |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | mcp-neo4j-cypher | >= 0.2.2, < 0.4.0 | 0.4.0 | — |