Anthropic MCP Inspector Vulnerability Lets Hackers Run Arbitrary Code Remotely

A newly disclosed vulnerability in Anthropic’s Model Context Protocol (MCP) Inspector tool has sent shockwaves through the AI development community, exposing a critical attack vector that could allow hackers to execute arbitrary code on developers’ machines—simply by luring them to a malicious website.

CVE-2025-49596: A Critical Threat

Tracked as CVE-2025-49596 and carrying a CVSS score of 9.4, this flaw was discovered by Oligo Security Research and affects all versions of MCP Inspector prior to 0.14.1.

The vulnerability stems from a lack of authentication between the Inspector’s client and its proxy server, enabling unauthenticated requests to trigger arbitrary commands via the tool’s standard input/output interface.

How the Exploit Works

The MCP Inspector is widely used for debugging and testing MCP servers, which are foundational for AI agent collaboration across platforms like Python and JavaScript.

By default, MCP Inspector runs an HTTP server on 0.0.0.0:6277, exposing it to connections from any network interface. Critically, the default configuration lacks authentication and encryption, creating an open door for attackers.

The attack leverages a long-standing browser vulnerability—dubbed “0.0.0.0-day”—that allows websites to send requests to localhost services.

An attacker can craft a malicious website containing JavaScript that dispatches requests to the MCP Inspector’s SSE endpoint, instructing it to execute system commands.

This can result in full compromise of the developer’s machine, including data theft, installation of backdoors, and lateral movement across networks.

“With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks—highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP,” said Oligo Security’s Avi Lumelsky.

Major tech firms such as Microsoft and Google, as well as countless open-source projects, rely on MCP Inspector for AI development.

Researchers identified several internet-facing MCP Inspector instances, confirming the real and immediate risk of remote code execution for both individuals and organizations.

Remediation and Recommendations

Anthropic’s security team responded rapidly, releasing version 0.14.1 on June 13, 2025. The update introduces session token-based authentication—similar to Jupyter notebooks—and strict origin checks to block unauthorized requests and mitigate CSRF attacks. 

Users are strongly urged to upgrade to version 0.14.1 or later immediately, as no effective workarounds exist for earlier version.

This incident underscores the importance of secure defaults and the risks associated with localhost-exposed developer tools.

Developers and organizations must ensure their MCP Inspector installations are updated and never exposed to untrusted networks.

As the AI ecosystem matures, robust security practices are essential to protect the integrity of critical development infrastructure.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates