Cybersecurity researchers have discovered a critical security vulnerability in Anthropic's MCP Inspector project, an artificial intelligence company. This flaw, assigned the identifier CVE-2025-49596, has a CVSS score of 9.4 out of 10.0, indicating its high severity. Successful exploitation of this vulnerability could result in remote code execution (RCE), allowing an attacker to gain full access to developer machines. This event marks one of the first critical RCEs in Anthropic's MCP ecosystem, exposing a new class of browser-based attacks against AI development tools, posing serious risks to AI teams, open-source projects, and enterprise adopters who rely on MCP.
The Model Context Protocol (MCP), introduced by Anthropic in November 2024, is an open protocol aimed at standardizing the integration and data sharing between Large Language Model (LLM) applications and external data sources or tools. The MCP Inspector is an essential development tool for testing and debugging MCP servers, which in turn expose specific capabilities through the protocol, enabling an AI system to access and interact with information beyond its training data. The tool consists of two main components: a client that offers an interactive interface for testing and debugging, and a proxy server that bridges the connection between the web interface and various MCP servers.
The critical vulnerability in the Inspector (CVE-2025-49596) is a Cross-Site Request Forgery (CSRF) flaw. However, the problem is significantly exacerbated by an insecure default configuration: the MCP Inspector's proxy server, by default, lacks authentication and encryption protections. Additionally, it has permissions to spawn local processes and connect to any specified MCP server. This "misconfiguration" creates a substantial attack surface, as anyone with local network or public internet access can potentially interact with and exploit these servers, resulting in "significant" security risks, according to Oligo Security.
The attack unfolds by chaining a well-known security flaw in modern web browsers, dubbed "0.0.0.0 Day," with the CSRF vulnerability in the Inspector (CVE-2025-49596). The "0.0.0.0 Day" is a 19-year-old vulnerability in web browsers that can allow malicious websites to breach local networks. It exploits the inability of browsers to securely handle the 0.0.0.0 IP address, leading to code execution. Attacks can be orchestrated by creating a malicious website that sends requests to localhost services running on an MCP server, granting the ability to execute arbitrary commands on the developer's machine. The default configuration that exposes MCP servers to these attacks means many developers may be inadvertently opening a backdoor on their machines.
A hypothetical attack scenario illustrates how this exploitation can occur: the proof-of-concept (PoC) uses the Server-Sent Events (SSE) endpoint to dispatch a malicious request from an attacker-controlled website to achieve RCE on the machine running the tool, even if it is listening on localhost (127.0.0.1). This is possible because the 0.0.0.0 IP address instructs the operating system to "listen" on all IP addresses assigned to the machine, including the local loopback interface (i.e., localhost). An attacker can create a fake webpage and trick a developer into visiting it; malicious JavaScript embedded in the page would then send a request to 0.0.0.0:6277 (the default port on which the proxy runs), instructing the MCP Inspector's proxy server to execute arbitrary commands. The attack can also employ DNS rebinding techniques to create a forged DNS record pointing to 0.0.0.0:6277 or 127.0.0.1:6277, bypassing security controls and gaining RCE privileges.
Following a responsible disclosure in April 2025, the vulnerability was patched by the project maintainers on June 13, with the release of version 0.14.1. The fixes implement a session token in the proxy server and incorporate origin validation, effectively blocking the attack vector. With these updates, the server now blocks DNS rebinding and CSRF attacks by default, adding authorization that was missing in previous configurations and checking the Host and Origin HTTP headers to ensure the client is visiting from a known and trusted domain. Oligo Security noted that while localhost services may seem secure, they are often exposed to the public internet due to network routing capabilities in browsers and MCP clients.
The discovery of CVE-2025-49596 comes just days after Trend Micro detailed an unpatched SQL injection bug in Anthropic's SQLite MCP server, which could be exploited to inject malicious prompts, exfiltrate data, and take over agent workflows. Sean Park, a researcher, observed that AI agents often trust internal data (from databases, logs, or cached records), treating it as safe. An attacker can exploit this trust by inserting a malicious prompt at this point, which could later cause the agent to trigger powerful tools (email, database, cloud APIs) to steal data or move laterally, bypassing earlier security checks. Although this open-source project was intended as a reference implementation and not for production use, it has been forked over 5,000 times. Furthermore, the GitHub repository was archived on May 29, 2025, which implies that no further fixes are planned for this flaw.
Additionally, a report from Backslash Security revealed that hundreds of MCP servers are susceptible to two major misconfigurations: the first allows for arbitrary command execution on the host machine due to unverified input handling and excessive permissions; the second makes them accessible to anyone on the same local network by being explicitly bound to 0.0.0.0, a vulnerability dubbed NeighborJack. Backslash Security describes the NeighborJack scenario: "Imagine you are coding at a coworking space or a shared café. Your MCP server is quietly running on your machine. The person sitting near you, sipping their latte, can now access your MCP server, simulate tools, and potentially execute operations on your behalf. It’s like leaving your laptop open—and unlocked for everyone in the room." Due to their design for accessing external data sources, MCPs can serve as hidden pathways for prompt injection and context poisoning, influencing an LLM's output by parsing data from an attacker-controlled website containing hidden instructions.
To mitigate context poisoning, one suggested approach by Micah Gold is to carefully process any text extracted from a website or database. However, Gold notes that this approach "bloats" the tools, requiring each individual tool to reimplement the same security feature, and leaves the user dependent on the individual MCP tool's security protocol. A superior approach, according to Backslash Security, is to configure AI rules with MCP clients to guard against vulnerable servers. These rules are predefined prompts or instructions assigned to an AI agent to guide its behavior and ensure it doesn't violate security protocols. By conditioning AI agents to be skeptical and aware of the threat posed by context poisoning via AI rules, MCP clients can be hardened against vulnerable MCP servers.
In summary, the emergence of these critical vulnerabilities in the Anthropic MCP ecosystem underscores the urgent need for a proactive security posture in the development and deployment of AI tools. The lesson is clear: allowing "yesterday's web application bugs" to creep into "today's agent infrastructure" offers attackers an easy path from SQL injection to full agent compromise. Protection requires a combination of software vulnerability patches, hardened security configurations by default, and the development of more "skeptical" and security-aware AI agents to navigate potentially malicious data.