CVE-2025-10193: 
Python vulnerability analysis and mitigation

A DNS rebinding vulnerability (CVE-2025-10193) was discovered in Neo4j Cypher MCP server versions 0.2.2 through 0.3.1. The vulnerability was disclosed on September 11, 2025, and allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized tool invocations against locally running Neo4j MCP instances (Neo4j Security, GitHub Advisory).

The vulnerability is classified as High severity with a CVSS v4.0 base score of 7.4. The attack vector is Network-based, requiring high attack complexity and active user interaction. The vulnerability stems from an origin validation error (CWE-346) where the product does not properly verify that the source of data or communication is valid (GitHub Advisory).

If successfully exploited, the vulnerability allows attackers to bypass Same-Origin Policy protections and execute unauthorized tool invocations against locally running Neo4j MCP instances. The attack can result in high impact on both confidentiality and integrity of the vulnerable system (GitHub Advisory).

The vulnerability has been patched in version 0.4.0 with the addition of CORS Middleware to the Cypher MCP server that blocks all web-based access by default. For users unable to upgrade, using stdio mode is recommended as a workaround. Additional security measures include running MCP servers behind a firewall or reverse proxy such as nginx or Apache with header validations (Neo4j Security, GitHub Advisory).

The vulnerability was responsibly disclosed by Evan Harris from mcpsec.dev, following proper disclosure policies. Neo4j has acknowledged the contribution in their security advisory (GitHub Advisory).