Full Report
Learn about CVE-2025-49596, a critical missing authentication vulnerability affecting Anthropic’s MCP Inspector tool. Download our Nuclei template to check if your systems are vulnerable.
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Anthropic MCP Inspector
## CVE Details
- CVE ID: CVE-2025-49596
- CVSS Score: (Not explicitly stated, but described as "critical")
- CWE: (Not explicitly stated)
## Affected Systems
- Products: Anthropic MCP Inspector (Specifically the MCP Proxy component - MCPP)
- Versions: Prior to version 0.14.1
- Configurations: When the MCPP is reachable on the local network or exposed to the internet, and authenticating/validating sources of `stdio` requests from the browser client is absent.
## Vulnerability Description
CVE-2025-49596 is a critical vulnerability in the MCP Inspector Proxy (MCPP) that allows unauthenticated Remote Code Execution (RCE). The flaw exists because the MCPP accepts arbitrary `stdio` commands without authenticating or validating requests originating from its browser client (MCPI). This allows an attacker to leverage browser behaviors (like interpreting `0.0.0.0` as localhost) combined with Cross-Site Request Forgery (CSRF) vulnerabilities or DNS rebinding techniques to force a victim's browser to send malicious HTTP requests to the local MCPP instance, executing arbitrary system commands with the user's privileges.
## Exploitation
- Status: PoC available (Insikt Group demonstrated exploitation techniques)
- Complexity: Low (Leverages known browser behaviors combined with a CSRF vector)
- Attack Vector: Network (via crafted web pages accessible to the victim)
## Impact
- Confidentiality: High (Attacker gains visibility into network-attached resources based on user privileges)
- Integrity: High (Attacker can execute arbitrary system commands)
- Availability: Medium (Potential for system disruption via executed commands)
## Remediation
### Patches
- Upgrade to MCP Inspector version **0.14.1 or later**. This update implements safeguards:
1. Session tokens must now accompany every proxy request.
2. Allowed-origin checks reject traffic from unauthorized websites when the server is bound only to localhost.
### Workarounds
- Ensure the MCP Inspector Proxy (MCPP) is **not exposed** to the public internet.
- Restrict access to the instance only to trusted, local networks where CSRF attacks originating from public web pages are not feasible if patching is delayed.
## Detection
- **Indicators of Compromise:** System commands being executed without expected user initiation, such as the creation of files like `/tmp/exploited-from-the-browser`.
- **Detection methods and tools:** A Nuclei template created by Insikt Group can be used for testing. This template sends a GET request to the `/sse` endpoint with parameters `transportType=stdio`, `command=echo`, and `args=CVE-2025-49596_TEST`, checking for a 200 OK response containing `sessionId=`. Patched versions respond with 401 Unauthorized.
## References
- Vendor Advisory/Commit: Commit `50df0e1ec488f3983740b4d28d2a968f12eb8979`
- PoC/Detection Template: Downloadable YAML file from the associated blog post
- Additional Context: Oligo security blog post on the RCE
- Documentation: Link to the MCP Inspector Github repository