Cybersecurity researchers have discovered a critical security vulnerability in artificial intelligence (AI) company Anthropic's Model Context Protocol (MCP) Inspector project that could result in remote code execution (RCE) and allow an attacker to gain complete access to the hosts.
The vulnerability, tracked as CVE-2025-49596, carries a CVSS score of 9.4 out of a maximum of 10.0.
"This is one of the first critical RCEs in Anthropic's MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools," Oligo Security's Avi Lumelsky said in a report published last week.
"With code execution on a developer's machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP."
MCP, introduced by Anthropic in November 2024, is an open protocol that standardizes the way large language model (LLM) applications integrate and share data with external data sources and tools.
The MCP Inspector is a developer tool for testing and debugging MCP servers, which expose specific capabilities through the protocol and allow an AI system to access and interact with information beyond its training data.
It contains two components, a client that provides an interactive interface for testing and debugging, and a proxy server that bridges the web UI to different MCP servers.
That said, a key security consideration to keep in mind is that the server should not be exposed to any untrusted network as it has permission to spawn local processes and can connect to any specified MCP server.
This aspect, coupled with the fact that the default settings developers use to spin up a local version of the tool come with "significant" security risks, such as missing authentication and encryption, opens up a new attack pathway, per Oligo.
"This misconfiguration creates a significant attack surface, as anyone with access to the local network or public internet can potentially interact with and exploit these servers," Lumelsky said.
The attack plays out by chaining a known security flaw affecting modern web browsers, dubbed 0.0.0.0 Day, with a cross-site request forgery (CSRF) vulnerability in Inspector (CVE-2025-49596) to run arbitrary code on the host simply upon visiting a malicious website.
"Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio," the developers of MCP Inspector said in an advisory for CVE-2025-49596.
0.0.0.0 Day is a 19-year-old vulnerability in modern web browsers that could enable malicious websites to breach local networks. It takes advantage of the browsers' inability to securely handle the IP address 0.0.0.0, leading to code execution.
"Attackers can exploit this flaw by crafting a malicious website that sends requests to localhost services running on an MCP server, thereby gaining the ability to execute arbitrary commands on a developer's machine," Lumelsky explained.
"The fact that the default configurations expose MCP servers to these kinds of attacks means that many developers may be inadvertently opening a backdoor to their machine."
Specifically, the proof-of-concept (PoC) makes use of the Server-Sent Events (SSE) endpoint to dispatch a malicious request from an attacker-controlled website to achieve RCE on the machine running the tool even if it's listening on localhost (127.0.0.1).
This works because the IP address 0.0.0.0 tells the operating system to listen on all IP addresses assigned to the machine, including the local loopback interface (i.e., localhost).
In a hypothetical attack scenario, an attacker could set up a fake web page and trick a developer into visiting it, at which point, the malicious JavaScript embedded in the page would send a request to 0.0.0.0:6277 (the default port on which the proxy runs), instructing the MCP Inspector proxy server to execute arbitrary commands.
The attack can also leverage DNS rebinding techniques to create a forged DNS record that points to 0.0.0.0:6277 or 127.0.0.1:6277 in order to bypass security controls and gain RCE privileges.
Following responsible disclosure in April 2025, the vulnerability was addressed by the project maintainers on June 13 with the release of version 0.14.1. The fixes add a session token to the proxy server and incorporate origin validation to completely plug the attack vector.
"Localhost services may appear safe but are often exposed to the public internet due to network routing capabilities in browsers and MCP clients," Oligo said.
"The mitigation adds Authorization which was missing in the default prior to the fix, as well as verifying the Host and Origin headers in HTTP, making sure the client is really visiting from a known, trusted domain. Now, by default, the server blocks DNS rebinding and CSRF attacks."
The discovery of CVE-2025-49596 comes days after Trend Micro detailed an unpatched SQL injection bug in Anthropic's SQLite MCP server that could be exploited to seed malicious prompts, exfiltrate data, and take control of agent workflows.
"AI agents often trust internal data whether from databases, log entry, or cached records, agents often treat it as safe," researcher Sean Park said. "An attacker can exploit this trust by embedding a prompt at that point and can later have the agent call powerful tools (email, database, cloud APIs) to steal data or move laterally, all while sidestepping earlier security checks."
Although the open-source project has been billed as a reference implementation and not intended for production use, it has been forked over 5,000 times. The GitHub repository was archived on May 29, 2025, meaning no patches have been planned to address the shortcoming.
"The takeaway is clear. If we allow yesterday's web-app mistakes to slip into today's agent infrastructure, we gift attackers an effortless path from SQL injection to full agent compromise," Park said.
The findings also follow a report from Backslash Security that found hundreds of MCP servers to be susceptible to two major misconfigurations: Allowing arbitrary command execution on the host machine due to unchecked input handling and excessive permissions, and making them accessible to any party on the same local network owing to them being explicitly bound to 0.0.0.0, a vulnerability dubbed NeighborJack.
"Imagine you're coding in a shared coworking space or café. Your MCP server is silently running on your machine," Backslash Security said. "The person sitting near you, sipping their latte, can now access your MCP server, impersonate tools, and potentially run operations on your behalf. It's like leaving your laptop open – and unlocked for everyone in the room."
Because MCPs, by design, are built to access external data sources, they can serve as covert pathways for prompt injection and context poisoning, thereby influencing the outcome of an LLM when parsing data from an attacker-controlled site that contains hidden instructions.
"One way to secure an MCP server might be to carefully process any text scraped from a website or database to avoid context poisoning," researcher Micah Gold said. "However, this approach bloats tools – by requiring each individual tool to reimplement the same security feature – and leaves the user dependent on the security protocol of the individual MCP tool."
A better approach, Backslash Security noted, is to configure AI rules with MCP clients to protect against vulnerable servers. These rules refer to pre-defined prompts or instructions that are assigned to an AI agent to guide its behavior and ensure it does not break security protocols.
"By conditioning AI agents to be skeptical and aware of the threat posed by context poisoning via AI rules, MCP clients can be secured against MCP servers," Gold said.
