Anthropic MCP Inspector: CVE-2025-49596

What is CVE-2025-49596?

CVE-2025-49596 is a critical remote code execution vulnerability discovered in Anthropic's MCP Inspector tool. MCP is an open standard allowing AI applications to exchange structured context and actions with external tools, and MCP servers are the lightweight programs that expose those tools and data through the protocol. MCP Inspector is a developer-oriented debugging tool for interactively testing and validating MCP server implementations. Successfully exploiting CVE-2025-49596 allows unauthenticated attackers to conduct remote code execution (RCE).

MCP Inspector consists of:

MCP Inspector Client (MCPI): A web-based UI designed to test and debug MCP servers interactively.
MCP Proxy (MCPP): A server that functions as a protocol bridge, linking the client UI to MCP servers using stdio, Server-Sent Events, or HTTP.

The flaw arises because the MCPP accepts arbitrary stdio commands without authenticating or validating the source of requests from its browser client. If the proxy is reachable on the local network or exposed to the internet, an attacker can issue arbitrary MCP commands.

Insikt Group’s Assessment of CVE-2025-49596

In practice, an attacker can exploit this weakness by abusing a known browser behavior in which some browsers interpret 0.0.0.0 as equivalent to localhost. When combined with a Cross-Site Request Forgery (CSRF) vulnerability, this allows attackers to send malicious HTTP requests from public web pages to the MCPP. For example, an attacker could craft a request such as:

hxxp://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser

The request runs touch /tmp/exploited-from-the-browser on the victim’s host, giving the attacker the same privileges as the user who started MCP Inspector and visibility into any network-attached resources. A typical exploitation chain involves a malicious web page whose JavaScript dispatches the above request to 0.0.0.0:6277, instructing the proxy to execute arbitrary commands.

Cybersecurity firm Oligo also demonstrated that the same RCE can be achieved through DNS rebinding. An attacker hosts a webpage whose domain resolves first to a public IP and then (after the browser grants trust) to 127.0.0.1/0.0.0.0. Because the origin is still the attacker’s webpage, the browser allows the script to send requests to the local MCP Inspector instance listening on localhost, bypassing same-origin rules and reaching the unauthenticated API.

Insikt Group created a Nuclei template to detect CVE-2025-49596, which can be found attached to this blog post. The template sends a GET request to the /sse endpoint and provides the parameters transportType=stdio, command=echo, and args=CVE-2025-49596_TEST. It then checks for a 200 OK response containing sessionId= in the body. In patched versions, the server responds with a 401 Unauthorized status and contains "Authentication required. Use the session token shown in the console when starting the server" in the response body.

At the time of writing, there were 560 exposed MCP Inspector instances on Shodan, most of which are geolocated in the US and China. However, not all of these are necessarily vulnerable, as their specific versions are unknown.

Figure 1: The majority of exposed MCP Inspector instances on Shodan are geolocated in the US and China, followed by Germany, Singapore, and the UK (Sources: Shodan, Recorded Future)

Recommended Actions for CVE-2025-49596

Users should upgrade to MCP Inspector version 0.14.1 or later, as implemented by Anthropic in commit 50df0e1. This update introduced safeguards to block CSRF from arbitrary public origins:

Session tokens are now generated automatically and must accompany every proxy request.
Allowed-origin checks reject traffic from unauthorised websites when the server is bound only to localhost.

How Recorded Future Can Help:

Insikt Group - Download the attached YAML file in this blog post to access a Nuclei template created by Insikt Group for CVE-2025-49596. The template enables defenders to test potentially vulnerable MCP Inspector instances prior to the patched version.
Vulnerability Intelligence - Gain helpful context on CVE-2025-49596 to aid in patching and prioritization discussions.

Figure 2: Vulnerability Intelligence Card® for CVE-2025-49596 in Recorded Future (Source: Recorded Future)

“Vulnerability Intelligence has helped us reduce risk by enabling proactive and risk-based patching. For example, it allowed us to quickly prioritize remediation of latest CVE’s after identifying active exploitation by APT actors. It also significantly reduced investigation time by correlating CVEs with threat actor TTPs, affected asset, and exploitation timelines–ensuring we focus efforts where they matter most” – Sr. Cyber Threat Researcher, Large Enterprise Internet Software & Services Company (UserEvidence)

Looking for more information on how Threat Intelligence can help you get ahead of new vulnerabilities? Check out our recent webinar: Vulnerability Prioritization Workshop: How to Take an Intelligence-Driven Approach.

About Insikt Group:
Recorded Future’s Insikt Group threat research team is comprised of analysts, linguists, and security researchers with deep government and industry experience.

Insikt Group publishes threat intelligence to the Recorded Future analyst community in blog posts and analyst notes.