AI developer tool MCP Inspector: Critical vulnerability allows code execution
There is a critical security vulnerability in Anthropic's MCP Inspector, a debugging tool for MCP servers. It allows malicious code to be executed.
(Image: Sashkin/Shutterstock.com)
IT security researchers have discovered a critical vulnerability in Anthropic's AI tool MCP Inspector. This allows attackers to execute code on vulnerable systems without prior login.
In the vulnerability description, the researchers explain that there is no authentication mechanism between the MCP Inspector client and the MCP proxy. This allows the injection of MCP commands via HTTP stdio, ultimately leading to the execution of malicious code from the network (CVE-2025-49596 / no EUVD, CVSS 9.4, risk “critical”).
Further details on the vulnerability
In a blog post, the discoverers of the Oligo vulnerability describe this in more detail. It concerns developer tools for the Model Context Protocol (MCP) [--] a type of middleware developed by Anthropic that mediates in a standardized way between any applications, data sources, tools, or services and an AI or LLM and can thus execute actions. MCP servers are APIs that enable interactions between systems in the “real world” and run on cloud instances or locally on developer machines. As a rule, Python or JavaScript is used. The MCP servers usually use client libraries provided by Anthropic.
The official Anthropic tool set is generally used to test and debug MCP servers. This includes the MCP Inspector, consisting of the MCP Inspector Client (MCPI), a web interface that provides an interactive interface for testing and debugging MCP servers, and the MCP Proxy, a node.js-based server that connects the web interface to MCP servers via various protocols, such as stdio, SSE or streamable-HTTP. For example, stdio is used for local process communication with command line tools – the MCP client starts a local script via the stdin interface and receives the output back from stdout.
Videos by heise
The MCP Inspector runs by default when the MCP-dev command is called and provides an HTTP server that listens for incoming connections. The standard configuration comes without sufficient security measures such as authentication or encryption. This means that anyone on the same network or, in some cases, on the Internet can interact with the MCP servers and misuse them, explain the IT researchers. The documentation indicates that the MCP proxy should only be operated in trustworthy networks.
However, this does not go far enough. The vulnerability CVE-2025-49596 also enables cross-site request forgeries (CSRF) from public websites. They can trigger malicious requests that result in the execution of malicious code from the network on the MCP developer machine. This is possible even if the MCP proxy is only listening on 127.0.0.1/localhost. In their investigations, the Oligo analysts also discovered MCP Inspector instances accessible from the Internet.
Developers should quickly update the MCP Inspector to version 0.14.1 or newer. In it, Anthropic adds session, dealing with session tokens or the verification of the connection origin.
(dmk)
