CVE-2025-49596

CRITICAL EXPLOITED NUCLEI

MCP Inspector < 0.14.1 - Unauthenticated Remote Code Execution via Stdio Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-49596 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including adminlove520, acseguin21, pppxo. A Nuclei detection template is also available.

AI-analyzed exploit summary The PoC exploits an RCE vulnerability in MCPJam inspector by sending crafted JSON payloads to the /api/mcp/connect endpoint, downloading a reverse shell script, and executing it. It uses curl to fetch the payload and chmod to make it executable.

Description

The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.

Exploits (5)

github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-49596

The PoC exploits an RCE vulnerability in MCPJam inspector by sending crafted JSON payloads to the /api/mcp/connect endpoint, downloading a reverse shell script, and executing it. It uses curl to fetch the payload and chmod to make it executable.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MCPJam inspector prior to 1.4.2
No auth needed
Prerequisites: network access to target · attacker-controlled server to host payload · netcat listener for reverse shell
devstral-2 · analyzed Mar 25, 2026 Full analysis →
nomisec WORKING POC
by acseguin21 · poc
https://github.com/acseguin21/trust-boundary-ctf

This repository contains a functional CTF lab demonstrating CVE-2025-49596, a session isolation failure in an MCP server where admin OAuth tokens leak into user responses due to a shared mutable context object. The exploit is embedded in the lab's design, allowing participants to extract flags via DevTools.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: MCP Server (custom implementation)
No auth needed
Prerequisites: Node.js >= 18 · local execution
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by pppxo · remote
https://github.com/pppxo/CVE-2025-49596-PoC

This PoC exploits CVE-2025-49596, an RCE vulnerability in MCPJam inspector versions prior to 1.4.2. It leverages the `/api/mcp/connect` endpoint to execute arbitrary commands via crafted JSON payloads, ultimately delivering a reverse shell to the attacker.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MCPJam inspector < 1.4.2
No auth needed
Prerequisites: Network access to the target server · Python 3 environment · Netcat or similar listener for reverse shell
devstral-2 · analyzed Apr 09, 2026 Full analysis →
github WORKING POC
by Acczdy · pythonpoc
https://github.com/Acczdy/CVE-Vault/tree/master/CVE-2025-49596

The repository contains a functional Python-based PoC for CVE-2025-49596, targeting an unauthenticated RCE vulnerability in MCP Inspector's SSE endpoint. The exploit constructs malicious requests to execute arbitrary commands via URL parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MCP Inspector Proxy Server < v0.14.1
No auth needed
Prerequisites: Network access to the target's SSE endpoint
devstral-2 · analyzed Mar 12, 2026 Full analysis →
nomisec SCANNER
by ashiqrehan-21 · remote
https://github.com/ashiqrehan-21/MCP-Inspector-CVE-2025-49596

This script checks for CVE-2025-49596 by sending a crafted HTTP request to the MCP Inspector SSE endpoint and analyzing the response. It detects the absence of authentication requirements, indicating potential vulnerability.

Classification
Scanner 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: MCP Inspector (versions prior to v0.14.1)
No auth needed
Prerequisites: Network access to the target MCP Inspector instance · MCP Inspector running on default or specified port (6277)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
CRITICALVERIFIEDby ye11oc4t
FOFA: title="MCP Inspector"

References (4)

Core 4

Scores

CVSS v4 9.4
EPSS 0.0222
EPSS Percentile 84.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-10-15
CWE
CWE-306
Status published
Products (2)
modelcontextprotocol/inspector 0 - 0.14.1npm
modelcontextprotocol/inspector < 0.14.1
Published Jun 13, 2025
Tracked Since Feb 18, 2026