CVE-2025-58444
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| modelcontextprotocol | inspector | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-84 | The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in the MCP Inspector local development tool versions prior to 0.16.6. It occurs when connecting to untrusted remote MCP servers that use a malicious redirect URI. Exploiting this vulnerability allows an attacker to interact directly with the inspector proxy and trigger arbitrary command execution.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary command execution on the system running the MCP Inspector tool. This means an attacker could potentially execute malicious commands, compromising the security and integrity of the affected system.
What immediate steps should I take to mitigate this vulnerability?
Users are advised to update the MCP Inspector local development tool to version 0.16.6 or later to resolve this issue.