CVE-2025-49596
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-07-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49596 is a remote code execution vulnerability in MCP Inspector versions below 0.14.1. The issue arises because there is no authentication between the Inspector client and its proxy server, allowing unauthenticated remote attackers to send commands to the proxy over standard input/output (stdio). This means attackers can execute arbitrary MCP commands remotely without any privileges or user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of information (confidentiality), unauthorized modification of data (integrity), and disruption of service (availability). Because it allows remote code execution without any privileges or user interaction, attackers can fully compromise the MCP Inspector and potentially connected systems, leading to high severity impacts on confidentiality, integrity, and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your MCP Inspector proxy server is running a version below 0.14.1 and if it allows unauthenticated requests. Since the proxy server binds to localhost by default, you can verify if the proxy is accessible without authentication by attempting to send requests without an Authorization header containing a Bearer token. For example, you can use curl commands to test connectivity and authentication enforcement: 1. Check if the proxy server is running and accessible on localhost (default port 6274): curl http://127.0.0.1:6274/health 2. Attempt to send a request without authentication: curl -v http://127.0.0.1:6274/your-mcp-command If the server responds without requiring an Authorization header or accepts commands, it is vulnerable. 3. If you have access to the proxy server logs or console, check if a session token is generated on startup (indicating version 0.14.1 or later). Absence of such token suggests an older, vulnerable version. Note: Replace "your-mcp-command" with actual MCP commands you want to test. These commands help verify if authentication is enforced and if the proxy is exposed to unauthenticated requests. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Upgrade MCP Inspector to version 0.14.1 or later, which enforces authentication between the Inspector client and proxy server. 2. Ensure the proxy server is configured to bind only to localhost (127.0.0.1) to prevent network exposure. 3. Use the authentication mechanism introduced in version 0.14.1, which requires including a Bearer token in the Authorization header for all proxy requests. 4. Avoid disabling authentication by not setting the environment variable DANGEROUSLY_OMIT_AUTH=true. 5. Configure allowed origins properly to prevent DNS rebinding attacks. 6. Use the pre-filled URL with the session token provided by the proxy server to connect securely. These steps significantly reduce the risk of remote code execution by ensuring only authenticated clients can send commands to the proxy server. [1, 2]