CVE-2025-10193 in neo4j-cypher MCP server
Summary
by MITRE • 09/11/2025
DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/11/2025
This vulnerability represents a critical DNS rebinding attack vector targeting Neo4j's Cypher Management Protocol (MCP) server implementation. The flaw exists in how the Neo4j MCP server handles DNS resolution and network communication, creating an avenue for attackers to circumvent standard browser security mechanisms. When a user visits a malicious website, the attacker can manipulate DNS responses to redirect requests from the legitimate Neo4j server to localhost or internal network addresses, effectively bypassing the Same-Origin Policy that normally protects web applications from accessing local resources. This vulnerability specifically affects Neo4j instances running with MCP enabled, where the server listens on network interfaces that are accessible from the attacker-controlled web environment.
The technical exploitation occurs through a sophisticated DNS rebinding attack that leverages the time-based nature of DNS resolution and caching behaviors. Attackers construct malicious web pages that initially resolve to external IP addresses but then redirect to localhost or internal network addresses within the same domain. The Neo4j MCP server, when processing requests from these manipulated DNS responses, fails to properly validate the originating IP addresses or enforce proper access controls. This allows the malicious website to execute unauthorized commands against the locally running Neo4j instance, potentially leading to data exfiltration, command execution, or privilege escalation. The vulnerability is particularly dangerous because it requires minimal user interaction beyond visiting the malicious website, making it a significant threat vector for targeted attacks.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable full compromise of Neo4j database instances running locally on affected systems. An attacker could potentially execute arbitrary Cypher queries, access sensitive graph data, modify database structures, or even escalate privileges if the Neo4j service runs with elevated permissions. The attack surface is particularly concerning in environments where Neo4j instances are configured to accept connections from local network interfaces or where users frequently browse untrusted websites. This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-290 (Authentication Bypass by Spoofing) categories, representing a sophisticated bypass of network-level security controls. The attack pattern also corresponds to ATT&CK technique T1212 (Exploitation for Credential Access) and T1071.004 (Application Layer Protocol: DNS) as it leverages DNS manipulation for privilege escalation.
Organizations should immediately implement network-level mitigations including firewall rules that restrict access to MCP ports from external networks, disable MCP functionality when it is not required, and ensure that Neo4j instances are configured to bind only to trusted network interfaces. The recommended solution involves updating to patched versions of Neo4j where the vulnerability has been addressed through improved DNS validation and enhanced access control mechanisms. Additional defensive measures include implementing Content Security Policy headers to limit script execution from untrusted domains, monitoring network traffic for suspicious DNS rebinding patterns, and educating users about the risks of visiting untrusted websites. System administrators should also consider implementing network segmentation to isolate Neo4j instances from general web browsing environments, thereby reducing the attack surface for such sophisticated attacks that rely on user interaction and browser-based exploitation techniques.