CVE-2025-10193

Information

Neo4j Cypher MCP server versions 0.2.2 to 0.3.1 is vulnerable to DNS rebinding attacks. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.
If successful, the attacker can bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances.

We recommend upgrading to v0.4.0 or above, where the issue is fixed. If you can’t update, the workaround is to use stdio mode which is not vulnerable to this attack. Another way to secure your MCP servers is to run them behind a firewall, or reverse proxy such as nginx or Apache with header validations.

If you suspect a compromise, check the logs for requests where origin differs from the target MCP server. This will highlight external attempts to access the server.

Links

• CVE: opens in new tabhttps://www.cve.org/CVERecord?id=CVE-2025-10193
• Release notes: opens in new tabhttps://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.4.0
• GitHub Advisory: opens in new tabhttps://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-vcqx-v2mg-7chx