The Vulnerability
Security researchers have disclosed a serious vulnerability in MCP Toolbox, a widely used enterprise tool for managing database connections. The flaw centers on a misconfiguration in the Server-Sent Events implementation, which allows attackers to bypass origin restrictions and gain unauthorized access to internal systems. Despite earlier efforts during the beta phase to enforce stricter cross-origin controls, a critical HTTP header remained overly permissive, effectively setting Access-Control-Allow-Origin to a wildcard value. This configuration, classified as a permissive cross-domain policy issue, undermines the security flags that were introduced to protect against such attacks.
Attack Vector and Impact
Attackers can exploit this vulnerability using DNS rebinding techniques. In a typical attack scenario, a victim visits a malicious website controlled by an attacker. The attacker then uses DNS rebinding to redirect the victim’s browser requests to internal MCP Toolbox services running on the same network. Because the cross-origin resource sharing policy is too permissive, the browser allows interaction with these internal endpoints. This enables the attacker to gain indirect access to enterprise database connectors, potentially exposing sensitive data or enabling unauthorized database queries. The risk is particularly high in cloud and hybrid environments, where internal services are often accessible through web interfaces, significantly expanding the potential attack surface. The flaw specifically affects MCP Toolbox with SSE enabled under the v2024-11-05 specification, and organizations using enterprise database connectors via SSE endpoints are most at risk.
Source: Cyber Security News
