Anthropic MCP Inspector Tool Vulnerability Let Attackers Execute Arbitrary Code on Developer Machines
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical Remote Code Execution (RCE) vulnerability in Anthropic’s MCP Inspector tool, designated as CVE-2025-49596, has a severe CVSS score of 9.4.
This vulnerability represents one of the first critical security flaws found in Anthropic’s Model Context Protocol (MCP) ecosystem, potentially exposing AI developers and organizations to significant cyber threats through browser-based attacks.
Summary
1. CVE-2025-49596 in Anthropic's MCP Inspector (CVSS 9.4) affects versions before 0.14.1.
2. Malicious websites can execute code on victims' machines using the 0.0.0.0-day exploit and CSRF attacks.
3. Threatens developers using MCP tools, enabling data theft and system compromise.
4. Upgrade to version 0.14.1+ immediately using npm install -g "@modelcontextprotocol/inspector@^0.14.1".
Anthropic’s MCP Inspector RCE Flaw
The vulnerability was initially reported to Anthropic by Oligo Security Research in April 2025, following an earlier report from another researcher in March 2025.
The flaw affects all versions of MCP Inspector prior to 0.14.1, allowing attackers to execute arbitrary code on developers’ machines simply by tricking victims into visiting malicious websites.
Star history of the MCP Inspector
The MCP Inspector is an official debugging tool from Anthropic consisting of two main components: the MCP Inspector Client (MCPI), a React-based web interface, and the MCP Proxy (MCPP), a Node.js server that bridges web UI communications with MCP servers.
When developers follow the standard quickstart documentation and run the mcp dev command, the tool launches with default configurations that lack proper authentication mechanisms, creating a significant attack surface.
Dev Command Lacks Authentication
The vulnerability particularly targets AI developers and organizations using MCP for agent-to-tool communications.
Major technology companies, including Microsoft and Google, which increasingly rely on MCP-related technologies for AI and cloud services, could be affected if they run vulnerable versions of the inspector tool.
The attack exploits a combination of Cross-Site Request Forgery (CSRF) vulnerabilities and the notorious “0.0.0.0-day” browser vulnerability that has remained unpatched in major browsers like Chrome and Firefox for 19 years.
Attackers can craft malicious JavaScript payloads that target the MCP Inspector’s /sse endpoint, leveraging the stdio transport mechanism.
A typical attack payload targets http://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser, allowing attackers to execute system commands remotely.
The malicious code can be embedded in websites, blog posts, or other web content, making the attack vector particularly dangerous for developers who frequently browse technical content online.
The 0.0.0.0 IP address bypass allows malicious websites to communicate with localhost services, circumventing traditional browser security controls.
This enables attackers to gain full access to the victim’s machine, steal sensitive data, install backdoors, and potentially move laterally across connected networks.
Risk Factors Details Affected ProductsAnthropic MCP Inspector versions < 0.14.1ImpactRemote Code Execution (RCE), arbitrary command executionExploit PrerequisitesVictim running vulnerable MCP Inspector tool and visiting malicious website containing crafted JavaScript payloadCVSS 3.1 Score9.4 (Critical)
Mitigations
Anthropic promptly addressed the vulnerability in MCP Inspector version 0.14.1 by implementing session token authentication similar to Jupyter notebooks.
The fix includes authorization mechanisms and origin verification to prevent CSRF attacks and DNS rebinding attempts.
Developers should immediately upgrade to version 0.14.1 or later using the command npm install -g “@modelcontextprotocol/inspector@^0.14.1”.
Users can verify their current version with npm list -g and should check both global installations and project-specific instances in node_modules directories.
The updated version generates unique session tokens by default and includes improved security documentation.Anthropic has also enhanced origins verification, completely mitigating browser-based attack vectors from public websites targeting localhost services.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Anthropic MCP Inspector Tool Vulnerability Let Attackers Execute Arbitrary Code on Developer Machines
Author: KaaviyaA critical Remote Code Execution (RCE) vulnerability in Anthropic’s MCP Inspector tool, designated as CVE-2025-49596, has a severe CVSS score of 9.4.
This vulnerability represents one of the first critical security flaws found in Anthropic’s Model Context Protocol (MCP) ecosystem, potentially exposing AI developers and organizations to significant cyber threats through browser-based attacks.
Summary
1. CVE-2025-49596 in Anthropic's MCP Inspector (CVSS 9.4) affects versions before 0.14.1.
2. Malicious websites can execute code on victims' machines using the 0.0.0.0-day exploit and CSRF attacks.
3. Threatens developers using MCP tools, enabling data theft and system compromise.
4. Upgrade to version 0.14.1+ immediately using npm install -g "@modelcontextprotocol/inspector@^0.14.1".
Anthropic’s MCP Inspector RCE Flaw
The vulnerability was initially reported to Anthropic by Oligo Security Research in April 2025, following an earlier report from another researcher in March 2025.
The flaw affects all versions of MCP Inspector prior to 0.14.1, allowing attackers to execute arbitrary code on developers’ machines simply by tricking victims into visiting malicious websites.
Star history of the MCP InspectorThe MCP Inspector is an official debugging tool from Anthropic consisting of two main components: the MCP Inspector Client (MCPI), a React-based web interface, and the MCP Proxy (MCPP), a Node.js server that bridges web UI communications with MCP servers.
When developers follow the standard quickstart documentation and run the mcp dev command, the tool launches with default configurations that lack proper authentication mechanisms, creating a significant attack surface.
Dev Command Lacks AuthenticationThe vulnerability particularly targets AI developers and organizations using MCP for agent-to-tool communications.
Major technology companies, including Microsoft and Google, which increasingly rely on MCP-related technologies for AI and cloud services, could be affected if they run vulnerable versions of the inspector tool.
The attack exploits a combination of Cross-Site Request Forgery (CSRF) vulnerabilities and the notorious “0.0.0.0-day” browser vulnerability that has remained unpatched in major browsers like Chrome and Firefox for 19 years.
Attackers can craft malicious JavaScript payloads that target the MCP Inspector’s /sse endpoint, leveraging the stdio transport mechanism.
A typical attack payload targets http://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser, allowing attackers to execute system commands remotely.
The malicious code can be embedded in websites, blog posts, or other web content, making the attack vector particularly dangerous for developers who frequently browse technical content online.
The 0.0.0.0 IP address bypass allows malicious websites to communicate with localhost services, circumventing traditional browser security controls.
This enables attackers to gain full access to the victim’s machine, steal sensitive data, install backdoors, and potentially move laterally across connected networks.
Risk Factors Details Affected ProductsAnthropic MCP Inspector versions < 0.14.1ImpactRemote Code Execution (RCE), arbitrary command executionExploit PrerequisitesVictim running vulnerable MCP Inspector tool and visiting malicious website containing crafted JavaScript payloadCVSS 3.1 Score9.4 (Critical)
Mitigations
Anthropic promptly addressed the vulnerability in MCP Inspector version 0.14.1 by implementing session token authentication similar to Jupyter notebooks.
The fix includes authorization mechanisms and origin verification to prevent CSRF attacks and DNS rebinding attempts.
Developers should immediately upgrade to version 0.14.1 or later using the command npm install -g “@modelcontextprotocol/inspector@^0.14.1”.
Users can verify their current version with npm list -g and should check both global installations and project-specific instances in node_modules directories.
The updated version generates unique session tokens by default and includes improved security documentation.Anthropic has also enhanced origins verification, completely mitigating browser-based attack vectors from public websites targeting localhost services.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
