ghsa-rj5c-58rq-j5g5
Vulnerability from github
Published
2025-10-29 15:39
Modified
2025-10-29 15:39
Severity ?
5.4 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name
Details

Summary

A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor

Details

  1. generate_cursor_deeplink(server_name, …) embeds server_name verbatim in a cursor://…?name= query string.
  2. open_deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start .
  3. Any cmd metacharacter inside server_name (&, |, >, ^, …) escapes the start command and spawns an attacker-chosen process.

PoC

server.py ```

import random from fastmcp import FastMCP

mcp = FastMCP(name="test&calc")

@mcp.tool def roll_dice(n_dice: int) -> list[int]: """Roll n_dice 6-sided dice and return the results.""" return [random.randint(1, 6) for _ in range(n_dice)]

if name == "main": mcp.run() ```

then run in the terminal: fastmcp install cursor server.py

Impact

OS Command / Shell Injection (CWE-78) Every Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fastmcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T15:39:03Z",
    "nvd_published_at": "2025-10-28T22:15:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor\n\n### Details\n1. generate_cursor_deeplink(server_name, \u2026) embeds server_name verbatim in a cursor://\u2026?name= query string.\n2. open_deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start \u003cdeeplink\u003e.\n3. Any cmd metacharacter inside server_name (\u0026, |, \u003e, ^, \u2026) escapes the start command and spawns an attacker-chosen process.\n\n### PoC\nserver.py \n```\n\nimport random\nfrom fastmcp import FastMCP\n\nmcp = FastMCP(name=\"test\u0026calc\")\n\n@mcp.tool\ndef roll_dice(n_dice: int) -\u003e list[int]:\n    \"\"\"Roll `n_dice` 6-sided dice and return the results.\"\"\"\n    return [random.randint(1, 6) for _ in range(n_dice)]\n\nif __name__ == \"__main__\":\n    mcp.run()\n```\n\nthen run in the terminal:\n`fastmcp install cursor server.py`\n\n### Impact\nOS Command / Shell Injection (CWE-78)\nEvery Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.",
  "id": "GHSA-rj5c-58rq-j5g5",
  "modified": "2025-10-29T15:39:03Z",
  "published": "2025-10-29T15:39:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jlowin/fastmcp/security/advisories/GHSA-rj5c-58rq-j5g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62801"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jlowin/fastmcp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.