CVE-2025-64340
Received Received - Intake
Command Injection in FastMCP Installers via Shell Metacharacters

Publication date: 2026-04-03

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64340
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jlowin fastmcp to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FastMCP versions prior to 3.2.0. It occurs when server names containing shell metacharacters, such as '&', are used during installation commands like 'fastmcp install claude-code' or 'fastmcp install gemini-cli' on Windows systems.

Although these commands use subprocess.run() with a list argument, on Windows the target command line interfaces often resolve to .cmd wrapper scripts executed through cmd.exe. This causes the shell metacharacters in the server names to be interpreted by the Windows command shell, leading to command injection.

This means an attacker could craft server names that inject arbitrary commands during installation, potentially executing malicious code.

The issue was fixed in FastMCP version 3.2.0.

Impact Analysis

This vulnerability can lead to command injection on Windows systems during the installation of certain FastMCP components if server names contain shell metacharacters.

An attacker exploiting this could execute arbitrary commands with the privileges of the user running the installation, potentially leading to compromise of confidentiality, integrity, and availability of the affected system.

The CVSS v3.1 base score of 6.7 indicates a medium severity with high impact on confidentiality, integrity, and availability, but requiring local access with high attack complexity and user interaction.

Mitigation Strategies

To mitigate this vulnerability, upgrade FastMCP to version 3.2.0 or later, where the issue has been patched.

Compliance Impact

CVE-2025-64340 is a command injection vulnerability that allows arbitrary code execution on Windows systems through improperly sanitized server names containing shell metacharacters. This vulnerability can lead to unauthorized access, data manipulation, or disruption of services.

Such impacts on confidentiality, integrity, and availability (all rated high in the CVSS) can affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Failure to mitigate this vulnerability could result in violations of these regulations due to potential data breaches or unauthorized system control.

Detection Guidance

This vulnerability can be detected by attempting to exploit command injection through the FastMCP install commands on a Windows system. Specifically, if a server name containing shell metacharacters (such as "&") is used with the commands `fastmcp install claude-code` or `fastmcp install gemini-cli`, arbitrary commands may be executed.

A practical detection method is to create a FastMCP server with a name including a shell metacharacter and then run one of the vulnerable install commands to observe if unintended commands execute.

  • Create a server with a name like "test&calc".
  • Run the command: `fastmcp install claude-code server.py` on a Windows machine.
  • Alternatively, run: `fastmcp install gemini-cli server.py`.

If the Windows Calculator application (`calc`) launches, this confirms the presence of the command injection vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart