Overview
Critical RCE vulnerability (CVSS 9.4) in the MCP Inspector developer tool (versions below 0.14.1). Lack of authentication between the Inspector client and proxy enables remote code execution, chainable with DNS rebinding for browser-based exploitation.
Who Is Affected
Discovered by Oligo Security. Affects developers using MCP Inspector for testing and debugging MCP servers—one of the most widely used developer tools in the MCP ecosystem.
Where It Exists
The vulnerability is in the MCP Inspector's proxy component that bridges the web-based client UI and MCP servers. The proxy accepts unauthenticated connections, allowing any local or (via DNS rebinding) remote process to send commands.
When It Was Found
Disclosed June 13, 2025 with CVE-2025-49596. Fixed in MCP Inspector version 0.14.1. This represents one of the first critical CVEs in Anthropic's MCP ecosystem.
How It Works
The MCP Inspector runs a local proxy server without authentication. An attacker can either: (1) exploit from another local process by sending commands directly to the proxy, or (2) chain with DNS rebinding or 0.0.0.0-day techniques to attack from a malicious website the developer visits. The proxy forwards commands to connected MCP servers, which may have code execution capabilities. This enables full RCE on the developer's machine.
Impact
Full remote code execution on developer machines. Attackers can steal source code, install backdoors, access cloud credentials, and move laterally across the organization network. Particularly dangerous because it targets developers who inherently have elevated access to production systems and source code repositories.
Mitigation
Update MCP Inspector to version 0.14.1 or later immediately. Add authentication to any locally-running development proxy. Use network-level controls to prevent DNS rebinding attacks. Run development tools in isolated environments (containers/VMs). Monitor for unexpected connections to local development ports.