CVE-2025-66454
BaseFortify
Publication date: 2025-12-02
Last updated on: 2025-12-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arcade_mcp | arcade_mcp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Arcade MCP prior to version 1.5.4 is due to the HTTP server using a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. This allows any unauthenticated attacker who knows this default key to forge valid JWTs and bypass the FastAPI authentication layer, gaining remote access to all worker endpoints without credentials.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely access all worker endpoints of the Arcade MCP server without any credentials. This includes the ability to enumerate and invoke tools, potentially leading to unauthorized actions and data exposure.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the arcade-mcp HTTP server to version 1.5.4 or later, where the hardcoded default worker secret is removed and properly validated. Until then, avoid using the default worker secret "dev" to prevent unauthorized JWT forgery and bypass of authentication.