Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-59956
CVE-2025-59956:
vulnerability analysis and mitigation
Overview
AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex that was found to be vulnerable to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. The vulnerability, identified as CVE-2025-59956, affects versions 0.3.3 and below, and was discovered by Evan Harris from mcpsec.dev. The issue was reported on July 25, 2025, and was patched in version 0.4.0 released on August 13, 2025 (MCP Advisory, GitHub Advisory).
Technical details
The vulnerability stems from insufficient validation of Host and Origin headers in the HTTP server running on localhost. The CVSS v3.1 score is 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The attack exploits DNS rebinding to bypass the browser's same-origin policy, allowing malicious websites to interact with the locally hosted Agent API. The vulnerability is classified under CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action) and CWE-290 (Authentication Bypass by Spoofing) (NVD, GitHub Advisory).
Impact
The vulnerability allows attackers to gain unauthorized access to the /messages endpoint served by the Agent API. This enables the exfiltration of sensitive user data, specifically local message history, which can include secret keys, file system contents, and intellectual property the user was working on locally. The DNS rebinding attack can be executed within seconds once a user connects to a malicious web server (MCP Advisory).
Mitigation and workarounds
Users should immediately update to Agent API version 0.4.0 or later, which implements Origin and Host header validating middleware and sets a secure by default configuration. For developers, long-term mitigations include implementing robust Host header validation for locally served HTTP APIs, adding CSRF protection, and including security warnings in documentation for tools that expose local network services (MCP Advisory, GitHub Release).
Community reactions
The vulnerability highlights a critical security challenge for the growing ecosystem of local AI-powered developer tools. The Coder team responded promptly to the report, acknowledging it on July 25, 2025, reproducing it by July 29, and releasing a patch by August 13. They also awarded a security bounty for the report, demonstrating their commitment to security (MCP Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management