Critical RCE Flaw Found In Anthropic MCP Inspector, CVE-2025-49596

HomeNews* Researchers found a major security flaw in Anthropic‘s Model Context Protocol (MCP) Inspector tool that could enable remote code execution.

• The vulnerability, tracked as CVE-2025-49596, has a critical CVSS score of 9.4 out of 10.
• Attackers could exploit the flaw by chaining browser and protocol weaknesses to execute commands on a victim’s device.
• Anthropic released a fix in version 0.14.1 of MCP Inspector, which now requires authentication and checks request origins.
• The flaw highlighted risks for developers and organizations using MCP tools without secure configurations. Cybersecurity researchers have identified a major vulnerability in Anthropic‘s Model Context Protocol (MCP) Inspector developer tool, which could allow attackers to take control of affected computers through remote code execution. The issue, disclosed in June 2025, impacts tools used to integrate Artificial Intelligence applications with outside data sources.

• Advertisement - The flaw, designated as CVE-2025-49596, received a rating of 9.4 out of 10 for severity. According to Oligo Security’s Avi Lumelsky, "With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks – highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP."

Anthropic launched MCP in November 2024 as an open standard for large language model (LLM) applications to access and exchange data with external resources. The MCP Inspector tool, affected by the vulnerability, helps developers test and debug these connections using a client interface and a proxy server.

The primary security risk occurred because earlier versions of MCP Inspector did not require authentication or use encryption for local connections. This left systems open to attack if the MCP server was accessible to public or local networks. Attackers could combine a known browser flaw, called “0.0.0.0 Day,” with a cross-site request forgery (CSRF) vulnerability to execute malicious commands as soon as a developer visited a harmful website.

Researchers demonstrated that the proxy server’s default settings could listen on all IP addresses—including internal addresses—making them reachable from malicious web pages. The attack could also utilize DNS rebinding, tricking the browser into recognizing an attacker’s address as trusted.

Following notification of the issue in April, Anthropic released version 0.14.1 of the MCP Inspector on June 13. The update adds mandatory session tokens for the proxy server and checks the source of incoming requests, blocking CSRF and DNS rebinding attack methods. According to project maintainers, "The mitigation adds Authorization which was missing in the default prior to the fix, as well as verifying the Host and Origin headers in HTTP, making sure the client is really visiting from a known, trusted domain."

Developers and organizations using older versions of MCP Inspector are advised to update immediately and review their network configurations to avoid exposing the MCP server to untrusted networks.

• Advertisement - #### Previous Articles:

• VCs Wary as DeFi Funding Stalls but TradFi Integration Grows
• İşbank Issues $100M Digital Bond on Euroclear to Aid Quake Recovery
• FreeWallet Faces Allegations of Exploitative Crypto Inactivity Fees
• Bella Protocol Launches AI-Powered USDC Coin Flip Game
• VeChain (VET) Drops 73% Since December High, Struggles in 2024

• Advertisement -