Ethical Hacking News
Anthropic's Model Context Protocol (MCP) Inspector project has been found to contain a critical vulnerability that exposes developer machines to remote code execution (RCE). The vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0 and poses significant risks to AI teams, open-source projects, and enterprise adopters relying on MCP.
A critical vulnerability in Anthropic's Model Context Protocol (MCP) Inspector project has been discovered, carrying a CVSS score of 9.4 and exposing developer machines to remote code execution. The vulnerability is related to the Server-Sent Events (SSE) endpoint and allows an attacker-controlled website to dispatch a malicious request for RCE, even if listening on localhost. The attack can leverage DNS rebinding techniques to bypass security controls and gain RCE privileges. The fix adds a session token and origin validation to the proxy server, addressing the vulnerability with version 0.14.1 of MCP Inspector. Developers working with AI protocols like MCP need to prioritize security measures and be aware of potential risks due to network routing capabilities in browsers and clients.
In a recent discovery that has sent shockwaves through the cybersecurity community, researchers have identified a critical vulnerability in Anthropic's Model Context Protocol (MCP) Inspector project. This vulnerability, tracked as CVE-2025-49596, carries a CVSS score of 9.4 out of a maximum of 10.0 and exposes developer machines to remote code execution (RCE). The implications of this vulnerability are far-reaching, posing significant risks to AI teams, open-source projects, and enterprise adopters relying on MCP.
MCP, introduced by Anthropic in November 2024, is an open protocol that standardizes the way large language model (LLM) applications integrate and share data with external data sources and tools. The MCP Inspector is a developer tool for testing and debugging MCP servers, which expose specific capabilities through the protocol and allow an AI system to access and interact with information beyond its training data. The tool contains two components: a client that provides an interactive interface for testing and debugging, and a proxy server that bridges the web UI to different MCP servers.
The vulnerability in question is related to the Server-Sent Events (SSE) endpoint, which allows an attacker-controlled website to dispatch a malicious request to achieve RCE on the machine running the tool, even if it's listening on localhost. This works because the IP address 0.0.0.0 tells the operating system to listen on all IP addresses assigned to the machine, including the local loopback interface (i.e., localhost). In a hypothetical attack scenario, an attacker could set up a fake web page and trick a developer into visiting it, at which point, the malicious JavaScript embedded in the page would send a request to 0.0.0.0:6277 (the default port on which the proxy runs), instructing the MCP Inspector proxy server to execute arbitrary commands.
The attack can also leverage DNS rebinding techniques to create a forged DNS record that points to 0.0.0.0:6277 or 127.0.0.1:6277 in order to bypass security controls and gain RCE privileges. Following responsible disclosure in April 2025, the vulnerability was addressed by the project maintainers on June 13 with the release of version 0.14.1. The fixes add a session token to the proxy server and incorporate origin validation to completely plug the attack vector.
This vulnerability highlights the need for greater security awareness among developers working with AI protocols like MCP. As Oligo Security's Avi Lumelsky noted in a report published last week, "Localhost services may appear safe but are often exposed to the public internet due to network routing capabilities in browsers and MCP clients." The mitigation adds Authorization which was missing in the default prior to the fix, as well as verifying the Host and Origin headers in HTTP, making sure the client is really visiting from a known, trusted domain. Now, by default, the server blocks DNS rebinding and CSRF attacks.
The discovery of this vulnerability serves as a wake-up call for AI security. As AI continues to advance and become increasingly integrated into our daily lives, it's essential that we prioritize security measures to protect against such vulnerabilities. Anthropic, the company behind MCP, has taken steps to address the issue, but it's crucial that developers and users remain vigilant in their approach to security.
In conclusion, the critical vulnerability in Anthropic's MCP exposed developer machines to remote exploits is a pressing concern for AI teams, open-source projects, and enterprise adopters relying on MCP. The discovery highlights the need for greater security awareness among developers working with AI protocols like MCP, and underscores the importance of prioritizing security measures to protect against such vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Anthropics-MCP-Exposes-Developer-Machines-to-Remote-Exploits-A-Wake-Up-Call-for-AI-Security-ehn.shtml
Published: Tue Jul 1 15:35:46 2025 by llama3.2 3B Q4_K_M
