VYPR

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action

VariantDraft

Description

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-142 · CAPEC-275 · CAPEC-73 · CAPEC-89

CVEs mapped to this weakness (25)

page 1 of 2
  • CVE-2026-1490CriFeb 15, 2026
    risk 0.57cvss 9.8epss 0.01

    The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including,…

  • CVE-2023-52235HigApr 5, 2024
    risk 0.57cvss 8.8epss 0.01

    SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish before 07dd2798-ff15-4722-a9ee-de28928aed34 allow CSRF (e.g., for a reboot) via a DNS Rebinding attack.

  • CVE-2025-8036HigJul 22, 2025
    risk 0.53cvss 8.1epss 0.00

    Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

  • CVE-2018-7160HigMay 17, 2018
    risk 0.51cvss 8.8epss 0.10

    The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the…

  • CVE-2026-42559HigMay 14, 2026
    risk 0.50cvss 8.8epss 0.00

    RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a…

  • CVE-2017-0902HigAug 31, 2017
    risk 0.46cvss 8.1epss 0.05

    RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

  • CVE-2026-36604MedJun 3, 2026
    risk 0.42cvss 6.5epss 0.00

    Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability…

  • CVE-2025-61430MedOct 24, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs from actual packet len),…

  • CVE-2026-43582MedMay 6, 2026
    risk 0.34cvss 6.3epss 0.00

    OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual…

  • CVE-2024-53275MedDec 23, 2024
    risk 0.34cvss epss 0.00

    Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, the default setup of home-gallery is vulnerable to DNS rebinding. Home-gallery is set up without TLS and user authentication by default, leaving it vulnerable…

  • CVE-2018-1099MedApr 3, 2018
    risk 0.29cvss 5.5epss 0.01

    DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

  • CVE-2026-6874MedApr 23, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from…

  • CVE-2026-41393MedApr 28, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation.

  • CVE-2026-46611medJun 22, 2026
    risk 0.19cvss epss 0.00

    ### Summary The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP…

  • CVE-2025-59163LowSep 29, 2025
    risk 0.07cvss epss 0.00

    vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an…

  • CVE-2015-3900Jun 24, 2015
    risk 0.01cvss epss 0.09

    RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

  • CVE-2026-33002Mar 18, 2026
    risk 0.00cvss epss 0.00

    Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers,…

  • CVE-2025-66416Dec 2, 2025
    risk 0.00cvss epss 0.00

    The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP…

  • CVE-2025-66414Dec 2, 2025
    risk 0.00cvss epss 0.00

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on…

  • CVE-2025-59956Sep 29, 2025
    risk 0.00cvss epss 0.00

    AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API.…