CVE-2025-59163: 
Análisis y mitigación de vulnerabilidades

CVE-2025-59163 affects vet, an open source software supply chain security tool. The vulnerability was discovered and disclosed on September 29, 2025. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation (GitHub Advisory).

The vulnerability stems from insufficient validation of HTTP Host and Origin headers in the vet MCP server when running in SSE (Server-Sent Events) transport mode. The issue is tracked as CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action). The vulnerability has received a CVSS v4.0 score of 2.1 (LOW) with the vector string: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

When vet is used as an MCP server in SSE mode with default ports, data from the vet scan sqlite3 database may be exposed to remote attackers through the sqlite3 query MCP tool. The vulnerability requires an attacker to lure a victim to an attacker-controlled website, from which they can leverage DNS rebinding to access the vet SSE server on 127.0.0.1 (GitHub Advisory).

The vulnerability has been patched in version 1.12.5, which implements Host and Origin header allow list and validation. As a workaround, users can use stdio (default) transport for SSE server instead of the vulnerable SSE transport mode (GitHub Advisory, GitHub Release).