CVE-2025-64340
Command Injection in FastMCP Installers via Shell Metacharacters
Publication date: 2026-04-03
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jlowin | fastmcp | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FastMCP versions prior to 3.2.0. It occurs when server names containing shell metacharacters, such as '&', are used during installation commands like 'fastmcp install claude-code' or 'fastmcp install gemini-cli' on Windows systems.
Although these commands use subprocess.run() with a list argument, on Windows the target command line interfaces often resolve to .cmd wrapper scripts executed through cmd.exe. This causes the shell metacharacters in the server names to be interpreted by the Windows command shell, leading to command injection.
This means an attacker could craft server names that inject arbitrary commands during installation, potentially executing malicious code.
The issue was fixed in FastMCP version 3.2.0.
How can this vulnerability impact me? :
This vulnerability can lead to command injection on Windows systems during the installation of certain FastMCP components if server names contain shell metacharacters.
An attacker exploiting this could execute arbitrary commands with the privileges of the user running the installation, potentially leading to compromise of confidentiality, integrity, and availability of the affected system.
The CVSS v3.1 base score of 6.7 indicates a medium severity with high impact on confidentiality, integrity, and availability, but requiring local access with high attack complexity and user interaction.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade FastMCP to version 3.2.0 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2025-64340 is a command injection vulnerability that allows arbitrary code execution on Windows systems through improperly sanitized server names containing shell metacharacters. This vulnerability can lead to unauthorized access, data manipulation, or disruption of services.
Such impacts on confidentiality, integrity, and availability (all rated high in the CVSS) can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.
Failure to mitigate this vulnerability could result in violations of these regulations due to potential data breaches or unauthorized system control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit command injection through the FastMCP install commands on a Windows system. Specifically, if a server name containing shell metacharacters (such as "&") is used with the commands `fastmcp install claude-code` or `fastmcp install gemini-cli`, arbitrary commands may be executed.
A practical detection method is to create a FastMCP server with a name including a shell metacharacter and then run one of the vulnerable install commands to observe if unintended commands execute.
- Create a server with a name like "test&calc".
- Run the command: `fastmcp install claude-code server.py` on a Windows machine.
- Alternatively, run: `fastmcp install gemini-cli server.py`.
If the Windows Calculator application (`calc`) launches, this confirms the presence of the command injection vulnerability.