Oligo Security’s Avi Lumelsky recently uncovered a critical remote code execution (RCE) vulnerability in the popular dependency. This vulnerability, identified as CVE-2025-49596, is a widely used open-source project MCP Inspector. This vulnerability represented a very high risk for all developers using this tool, that has been public on GitHub and forked more than 5,000 times. This issue was responsibly disclosed in April 2023. The project’s maintainers were quick to respond, releasing the fixed version 0.14.1 just a few days later on June 13.
MCP Inspector consists of two components: a client interface for testing and debugging, and a proxy server that connects the web UI to various MCP servers. The vulnerability specifically affects the SSE endpoint. A successful attacker could issue a malformed request on behalf of a victim visiting an exploitable website, potentially resulting in remote arbitrary code execution on the affected developer’s machine.
Sean Park, another researcher, stressed that we cannot allow antiquated web application vulnerabilities to seep into 20th century agent infrastructures. He explained why this oversight presents attackers with a straightforward path from SQL injection to complete agent compromise.
“The takeaway is clear. If we allow yesterday’s web-app mistakes to slip into today’s agent infrastructure, we gift attackers an effortless path from SQL injection to full agent compromise,” – Sean Park
In this MTR Future, Micah Gold describes a worst-case attack scenario. An attacker may be able to create a misleading web page that could entice developers to visit it, resulting in the execution of malicious code on their systems. The attack takes advantage of multiple, well-documented vulnerabilities within the current versions of major web browsers. It compounds these weaknesses with a cross-site request forgery (CSRF) vulnerability in MCP Inspector.
In particular, default lack of authentication and encryption protections in MCP Inspector further expose its vulnerabilities. In her 2020 presentation, Lumelsky underscored how this vulnerability opens up additional vectors for attack. Moreover, it places grave security threats for AI groups, open-source tasks and enterprise customers depending on the MCP framework.
“This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools,” – Avi Lumelsky
In an advisory, developers of MCP Inspector have acknowledged that versions prior to 0.14.1 are prone to remote code execution exploitation. This security flaw is due to a failure of authentication between the Inspector client and daemon proxy server. Without any authentication or authorization, this vulnerability permits unauthenticated requests to run arbitrary commands via standard input (stdio).
“Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio,” – The developers of MCP Inspector
The implications of this vulnerability are profound. Threat actors can weaponize the inherent trust in AI systems, using the internal data as an attack vector to propagate deeper attacks. Park explained that AI agents often assume internal data is safe, making them prime targets for exploitation through embedded prompts in insecure environments.
“AI agents often trust internal data whether from databases, log entry, or cached records; agents often treat it as safe,” – Sean Park