You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The googleapis/genai-toolbox doesn't, by default, validate the Origin header when requests are sent to it, thus violating one of the clauses of both the 2025-06-18 and 2025-11-25 MCP specifications.
Servers MUST validate the Origin header on all incoming connections to prevent DNS rebinding attacks
If the Origin header is present and invalid, servers MUST respond with HTTP 403 Forbidden. The HTTP response body MAY comprise a JSON-RPC error response that has no id
...
Without these protections, attackers could use DNS rebinding to interact with local MCP servers from remote websites.
- 2025-11-25: Base Protocol > Transports: 2.0.1 Security Warning
The Google MCP Toolbox should not be vulnerable to this attack vector; however, to-date it remains vulnerable.
Current Behavior
This vulnerability provides an attacker that is able to get a victim to visit a malicious website, or view a malicious ad, full control over the locally running toolbox MCP server.
This allows for database manipulation, data theft, creating new resources, or making HTTP requests from the context of the developers computer, as if they were an MCP connected AI agent. Basically, any functionality this MCP server exposesto an AI agent can be performed by an attacker.
Steps to reproduce?
poc_Google_Toolbox.mov
Proof of Concept
Install genai-toolbox
Create a toolbox.yaml in the current working directory and configure some database connections
Set the "Target Host" to "0.0.0.0" for Unix-like platforms (e.g. Linux, macOS) and to "127.0.0.1" (or any other valid local host addresses) for Microsoft Windows.
Set the target port to 5000
Open the browser console
Click "Start DNS Rebinding Attack"
One lit, click "Initialize MCP Session"
You should be able to fully interact with the MCP server over the DNS rebound iframe
This demonstrates how the browser can be leveraged as a confused deputy for full control over the locally running toolbox MCP server.
If that doesn't work
Replacement for step 5:
Leave the "Target Host" as 127.0.0.1
Click "Toggle Advanced Options"
Set "Rebinding Strategy" to "First then Second"
Set "Interval" to 10
Additional Details
This vulnerability was originally disclosed to the Google Vulnerability Rewards Program (VRP) on Oct 14, 2025 with an initial 90-day vulnerability disclosure policy. This vulnerability to-date remains unfixed in a secure-by-default manner.
I will be reaching out to VulnCheck to assist with CVE assignment on this issue per the CVE CNA Rules: CVE CNA Rule 4.1.4
4.1.4 Insecure default configuration settings SHOULD be determined to be Vulnerabilities.
This vulnerability has been fully, publicly disclosed at two conferences including BSides SF, and the Linux Foundation's MCP Summit.
Erata from the original Bug reporting form:
Prerequisites
I've searched the current open issues
I've updated to the latest version of Toolbox
Toolbox version
toolbox version 1.1.0+dev.darwin.arm64
Environment
OS type and version: Darwin jonathanleitschuh-YXC7065X20 24.6.0 Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000 arm64
How are you running Toolbox:
Downloaded using homebrew
Executed via the command line toolbox
Client
Client: Custom client built to demonstrate how MCP servers can be hacked from the browser over DNS rebinding
Expected Behavior
The googleapis/genai-toolbox doesn't, by default, validate the
Originheader when requests are sent to it, thus violating one of the clauses of both the 2025-06-18 and 2025-11-25 MCP specifications.The Google MCP Toolbox should not be vulnerable to this attack vector; however, to-date it remains vulnerable.
Current Behavior
This vulnerability provides an attacker that is able to get a victim to visit a malicious website, or view a malicious ad, full control over the locally running toolbox MCP server.
This allows for database manipulation, data theft, creating new resources, or making HTTP requests from the context of the developers computer, as if they were an MCP connected AI agent. Basically, any functionality this MCP server exposesto an AI agent can be performed by an attacker.
Steps to reproduce?
poc_Google_Toolbox.mov
Proof of Concept
If that doesn't work
Replacement for step 5:
10Additional Details
This vulnerability was originally disclosed to the Google Vulnerability Rewards Program (VRP) on Oct 14, 2025 with an initial 90-day vulnerability disclosure policy. This vulnerability to-date remains unfixed in a secure-by-default manner.
I will be reaching out to VulnCheck to assist with CVE assignment on this issue per the CVE CNA Rules: CVE CNA Rule 4.1.4
This vulnerability has been fully, publicly disclosed at two conferences including BSides SF, and the Linux Foundation's MCP Summit.
Erata from the original Bug reporting form:
Prerequisites
Toolbox version
toolbox version 1.1.0+dev.darwin.arm64
Environment
Darwin jonathanleitschuh-YXC7065X20 24.6.0 Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000 arm64toolboxClient