CVE-2025-59163

SafeDep vet is vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation.

To exploit this vulnerability following conditions must be met:

A vet scan is executed and reports are saved as sqlite3 database
A vet MCP server is running on default port with SSE transport that has access to the report database
The attacker lures the victim to attacker controlled website
Attacker leverages DNS rebinding to access vet SSE server on 127.0.0.1 through the website
Attacker uses MCP tools to read information from report database

Impact

Data from vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool.

Patches

v1.12.5 is released that patches the issue with Host and Origin header allow list and validation

Workarounds

Use stdio (default) transport for SSE server

Published: Sep 29, 2025
Updated: Sep 30, 2025
CVE: CVE-2025-59163
GHSA: GHSA-6q9c-m9fr-865m
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-350

Affected Software
References

Software	From	Fixed in
github.com/safedep/vet	-	1.12.5

Vulnerability Database

CVE-2025-59163

Impact

Patches

Workarounds

Deep Security Visibility Without the Complexity