Full Report
Cybersecurity researchers have discovered a critical security vulnerability in artificial intelligence (AI) company Anthropic's Model Context Protocol (MCP) Inspector project that could result in remote code execution (RCE) and allow an attacker to gain complete access to the hosts. The vulnerability, tracked as CVE-2025-49596, carries a CVSS score of 9.4 out of a maximum of 10.0. "This is one
Analysis Summary
# Vulnerability: Critical RCE in Anthropic MCP Inspector via Browser 0.0.0.0 Attack Chaining
## CVE Details
- CVE ID: CVE-2025-49596
- CVSS Score: 9.4 (Critical)
- CWE: Missing Authentication for Critical Function (Implied based on root cause)
## Affected Systems
- Products: Anthropic Model Context Protocol (MCP) Inspector
- Versions: Below 0.14.1
- Configurations: Default configurations, especially when the server is exposed or accessible, even locally.
## Vulnerability Description
This critical vulnerability (CVE-2025-49596) in MCP Inspector results from a lack of authentication between the Inspector client and the proxy server. This allows an unauthenticated attacker to launch MCP commands over `stdio` by sending specially crafted requests. The exploit chains this flaw with the "0.0.0.0 Day" browser vulnerability (which allows malicious websites to target services listening on 0.0.0.0, including localhost), enabling **Remote Code Execution (RCE)** on the developer's host simply by tricking a user into visiting a malicious website. DNS rebinding techniques can also be leveraged to bypass security controls.
## Exploitation
- Status: PoC available (Proof-of-concept demonstrated using SSE endpoint)
- Complexity: Low (Leverages a known browser flaw and lack of authentication)
- Attack Vector: Network (Triggered via a malicious website visit)
## Impact
- Confidentiality: Complete access to steal data
- Integrity: Complete access to install backdoors and modify systems
- Availability: Complete compromise of the host system
## Remediation
### Patches
- Upgrade MCP Inspector to **version 0.14.1** or later.
### Workarounds
- Ensure the MCP Inspector server is **not exposed to any untrusted network**.
- While the patch resolves the authentication gap, it is implicitly recommended to avoid using default configurations that lack strong access control, encryption, or authentication if immediate upgrade is not possible.
## Detection
- **Indicators of Compromise (IoC):** Look for unexpected process spawning originating from the MCP Inspector service or connections hitting ports where the Inspector proxy is running (default port mentioned: 6277).
- **Detection Methods and Tools:** Monitor HTTP requests targeting the Inspector service, specifically looking for abnormal **Host and Origin headers**, or requests destined for `0.0.0.0` followed by attempts to execute commands via `stdio`.
## References
- Vendor Advisory: github dot com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g
- Primary Report: oligosecurity dot com/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
- Release Notes: github dot com/modelcontextprotocol/inspector/releases/tag/0.14.1