Cybersecurity researchers discover critical security vulnerabilities in the Model Context Protocol (MCP) Inspector project of artificial intelligence (AI) company Anthropic, causing remote code execution (RCE), allowing attackers to fully access the host.
The vulnerability tracked as CVE-2025-49596 has a CVSS score of 9.4 out of a maximum of 10.0.
“This is one of the first important RCES in the human MCP ecosystem, exposing a new browser-based class attack on AI developer tools,” Oligo Security’s Avi Lumelsky said in a report released last week.
“Code execution on a developer’s machine allows attackers to steal data, install backdoors, and move the network sideways. This can highlight the serious risks of AI teams, open source projects and enterprise adopters relying on MCPs.”
Introduced by humanity in November 2024, MCP is an open protocol that standardizes the way large-scale language model (LLM) applications integrate and share data with external data sources and tools.
The MCP Inspector is a developer tool for testing and debugging MCP servers, exposing certain features through protocols, allowing AI systems to access and interact with information beyond training data.
It contains two components. It includes a client that provides an interactive interface for testing and debugging, and a proxy server that bridges the web UI to various MCP servers.
That said, a key security consideration to keep in mind is that you should not expose your server to an untrusted network, as you have permission to generate local processes and you can connect to a designated MCP server.
This aspect, coupled with the fact that default configuration developers use it to spin up local versions of the tool, involves “critical” security risks, such as missing authentication and encryption, opening up new attack paths for each oligo.
“This misconception creates a critical attack surface as anyone with access to local networks or public internet can interact with and exploit these servers,” Lumersky said.
This attack occurs by checking for known security flaws that affect modern web browsers, called 0.0.0.0 days.
“A version of the MCP inspector below 0.14.1 is vulnerable to remote code execution due to no authentication between the inspector’s client and the proxy, allowing requests that are not permitted to invoke MCP commands via STDIO.
0.0.0.0 days is a 19-year-old vulnerability in modern web browsers that could allow malicious websites to violate local networks. This will take advantage of the fact that browsers cannot safely handle IP address 0.0.0.0, leading to code execution.
“Attackers can exploit this flaw by creating a malicious website that sends requests to a localhost service running on an MCP server, thereby gaining the ability to run arbitrary commands on the developer’s machine,” explained Lumelsky.
“The fact that the default configuration exposes MCP servers to these types of attacks means that many developers can inadvertently open backdoors to their machines.”
Specifically, concept implementation (POC) utilizes a Server-Sent Event (SSE) endpoint to dispatch malicious requests from attacker-controlled websites to achieve RCE on machines running the tool, even when listening on LocalHost (127.0.0.1).
This is because IP address 0.0.0.0 tells the operating system to listen on all IP addresses assigned to the machine, including the local loopback interface (IE, LocalHost).
In a hypothetical attack scenario, an attacker can set up a fake web page and visit and visit the developer. At that point, the malicious JavaScript embedded in the page sends a request to 0.0.0.0:6277 (the default port on which the proxy runs), and instructs the person in charge of the MCP Inspector to run the arbitrary command.
The attack can also leverage DNS rebinding techniques to create a forged DNS record pointing to 0.0.0.0:6277 or 127.0.0.1:6277 to bypass security controls and gain RCE privileges.
Following the responsible disclosure in April 2025, the vulnerability was addressed by the Project Maintenance on June 13th, with version 0.14.1 being released. The fix adds a session token to the proxy server and incorporates origin validation to fully connect the attack vector.
“Localhost services may seem secure, but the network routing capabilities of browsers and MCP clients often expose them to the public internet,” says Oligo.
“The mitigation adds the authorizations that were missing by default before the fix, validates the headers of the host and origin in HTTP, and ensures that the client is actually visiting from a known trusted domain. By default, the server blocks DNS rebinding and CSRF attacks.”
Source link
