Critical Vulnerability in Anthropic’s MCP Inspector: A Security Alert
Cybersecurity experts have uncovered a significant security flaw in Anthropic’s Model Context Protocol (MCP) Inspector project, posing a potential risk for developers and enterprises using this AI technology. This vulnerability could permit remote code execution (RCE), enabling attackers to gain complete control over affected systems.
Understanding the Vulnerability
Designated as CVE-2025-49596, the vulnerability has been assigned a critical severity score of 9.4 on the CVSS scale, which ranges from 0 to 10. According to Avi Lumelsky from Oligo Security, this represents one of the first critical RCE threats within Anthropic’s MCP environment, highlighting a new category of browser-based vulnerabilities affecting AI development tools.
“When attackers achieve code execution on a developer’s machine, they can steal sensitive data, install backdoors, and pivot across networks,” Lumelsky noted. This situation emphasizes the serious implications for AI development teams, open-source projects, and businesses that depend on MCP.
What is MCP?
Introduced by Anthropic in November 2024, MCP is designed to standardize the integration and data-sharing protocols for large language model (LLM) applications. The MCP Inspector serves as a vital tool for developers, enabling them to test and debug MCP servers. These servers expose capabilities through the protocol, allowing AI systems to access information beyond their initial training datasets.
The MCP Inspector includes two main components: a client for an interactive testing interface and a proxy server that connects the web UI with different MCP servers.
Security Risks Associated with MCP Inspector
A critical aspect of the MCP Inspector’s operation is ensuring that the server is not exposed to untrusted networks. Due to its ability to initiate local processes, substantial security risks arise if proper measures are not taken. The default settings used by developers often come with “significant” security vulnerabilities, such as the absence of authentication and encryption, setting the stage for potential attacks.
As Lumelsky points out, misconfigurations can create large attack surfaces, allowing anyone with access to the local network or even the public internet to interact with and exploit the MCP servers.
The Method of Attack
The attack mechanism involves exploiting known security flaws in modern web browsers, specifically a vulnerability referred to as "0.0.0.0 Day," combined with a cross-site request forgery (CSRF) vulnerability within the MCP Inspector. By manipulating these flaws, an attacker can execute arbitrary code on a developer’s machine simply by luring them to a malicious website.
Versions of MCP Inspector prior to 0.14.1 are particularly vulnerable due to the lack of authentication between the Inspector client and the proxy server. Consequently, unauthenticated requests can trigger MCP commands dangerously.
Lumelsky explains that attackers could craft a malicious website capable of sending requests to local services running on an MCP server, thus executing arbitrary commands without the developer’s knowledge.
How the Exploit Works
The proof-of-concept (PoC) for this exploit takes advantage of the Server-Sent Events (SSE) endpoint. This allows a malicious request to be dispatched from an attacker-controlled site, leading to RCE on any machine running the MCP Inspector, even if it listens solely to localhost (127.0.0.1). The IP address 0.0.0.0 directs the operating system to accept connections on all assigned IP addresses, which includes the local loopback interface.
For example, an attacker might create a deceptive webpage to trick a developer into visiting. Once the developer accesses the page, malicious JavaScript embedded within it can send commands to the proxy server running on 0.0.0.0:6277, effectively executing arbitrary commands on the developer’s machine.
Additionally, attackers can employ DNS rebinding attacks to forge DNS records pointing to 0.0.0.0 or 127.0.0.1, circumventing security measures in place.
Response to the Vulnerability
Following the disclosure of this vulnerability in April 2025, the maintainers of the MCP Inspector addressed the issue on June 13 with the release of version 0.14.1. This update introduced a session token to the proxy server and implemented origin validation, effectively closing the attack vector.
Oligo emphasizes that while localhost services often seem secure, they can be exposed to public internet threats due to various network routing capabilities in browsers and MCP clients. The latest mitigation involves adopting authorization features that were absent in earlier versions, as well as verifying the Host and Origin headers in HTTP requests. These changes mean that the server now proactively blocks DNS rebinding and CSRF attacks, significantly enhancing its security posture.
This crucial update serves as a reminder to developers about the importance of securing their environments, especially when dealing with advanced AI systems like those offered by Anthropic.
