GHSA-rj5c-58rq-j5g5

Опубликовано: 29 окт. 2025

Источник: github

Github: Прошло ревью

CVSS4: 5.4

Описание

FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

Summary

A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor

Details

generate_cursor_deeplink(server_name, …) embeds server_name verbatim in a cursor://…?name= query string.
open_deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start .
Any cmd metacharacter inside server_name (&, |, >, ^, …) escapes the start command and spawns an attacker-chosen process.

PoC

server.py

import random from fastmcp import FastMCP mcp = FastMCP(name="test&calc") @mcp.tool def roll_dice(n_dice: int) -> list[int]: """Roll `n_dice` 6-sided dice and return the results.""" return [random.randint(1, 6) for _ in range(n_dice)] if __name__ == "__main__": mcp.run()

then run in the terminal: fastmcp install cursor server.py

Impact

OS Command / Shell Injection (CWE-78) Every Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.

Ссылки

Пакеты

Наименование

fastmcp

pip

Затронутые версииВерсия исправления

< 2.13.0

2.13.0

EPSS

Процентиль: 8%

0.0003

Низкий

5.4 Medium

CVSS4

CVE ID

CVE-2025-62801

Дефекты

CWE-78

Связанные уязвимости

CVE-2025-62801

CVSS3: 7.8

nvd

3 месяца назад

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fixed in 2.13.0.

EPSS

Процентиль: 8%

0.0003

Низкий

5.4 Medium

CVSS4

CVE ID

CVE-2025-62801

Дефекты

CWE-78