Critical MCP Inspector Flaw (CVE-2025-49596, CVSS 9.4): Unauthenticated RCE Threatens AI Dev Machines via Browser
Anthropic has encountered a critical vulnerability in one of its AI-related projects. The flaw, identified as CVE-2025-49596, affects the Model Context Protocol (MCP) Inspector tool and has been assigned a CVSS severity score of 9.4 out of 10, signaling an exceptionally high risk. This vulnerability enables remote code execution on developers’ devices, potentially granting attackers full control over affected systems.
According to experts at Oligo Security, this marks one of the first significant threats within Anthropic’s MCP ecosystem. They emphasize that this breach highlights a new category of browser-based attacks targeting developer tools used in artificial intelligence workflows. If exploited, the vulnerability could allow attackers to exfiltrate data, deploy stealthy malware, and navigate laterally through corporate networks.
The MCP protocol, introduced by Anthropic in November 2024, is designed as an open standard for connecting large language model (LLM)-based applications with external data sources and tools. MCP Inspector serves as a companion utility, enabling developers to test and debug servers operating under the MCP protocol. The tool includes an interactive client and a proxy server that bridges communication between the web interface and various MCP servers.
However, the tool’s defining feature—the ability to launch local processes and connect to arbitrary MCP servers—requires strict access controls. By default, the server should not be exposed to untrusted networks. Nevertheless, the standard configuration failed to implement authentication and encryption, significantly enlarging the potential attack surface.
Experts explain that this configuration allowed any user on a local or even external network to interact with vulnerable MCP servers and exploit them. The attack chain leverages multiple weaknesses, including a known browser issue dubbed “0.0.0.0 Day” and a CSRF vulnerability within the Inspector tool. Consequently, merely visiting a malicious website could lead to arbitrary code execution on a developer’s machine.
The “0.0.0.0 Day” vulnerability arises from improper handling of the 0.0.0.0 IP address by modern browsers. Attackers can exploit this flaw to target local services via specially crafted web pages. When MCP Inspector runs with its default settings, its proxy server listens on port 6277 across all IP interfaces—including 127.0.0.1. This allows malicious websites to send commands to the local service and execute arbitrary scripts.
The attack can be further amplified using DNS rebinding, a technique that circumvents standard protections to facilitate remote code execution.
After being informed of the issue in April 2025, Anthropic released version 0.14.1 of MCP Inspector in mid-June. The update introduced request and origin validation, significantly impeding exploitation. The server now verifies the Host and Origin headers and enforces authorization, thereby mitigating DNS rebinding and CSRF threats.
Meanwhile, other vulnerabilities have emerged in Anthropic’s ecosystem. Trend Micro reported an unpatched flaw in the SQLite MCP server, which enables prompt injection, data theft, and manipulation of AI agents. Researchers warn that such attacks are particularly dangerous, as AI systems tend to trust internal data sources without verifying their origin.
Backslash Security also identified a widespread misconfiguration issue across MCP servers. These improperly secured servers allow command execution due to flawed input handling and their binding to the 0.0.0.0 IP, exposing them to all users on the same local network.
One illustrative scenario involves a developer running a vulnerable MCP server in a coworking space or café, where any nearby individual could connect and assume control of the system. Given that MCP servers inherently exchange data with external sources, they are also susceptible to context injection and covert command execution attacks.
Experts suggest that the most effective defense lies in implementing strict behavioral protocols for AI agents, empowering them to detect and disregard suspicious inputs. Though this approach demands considerable effort, it offers a robust safeguard for MCP-based infrastructures.
Anthropic has clarified that MCP Inspector is intended solely as a demonstrative tool and is not recommended for production use. However, its GitHub repository has been cloned over 5,000 times. Following the discovery of these critical flaws, the project was officially frozen and archived on May 29, 2025, with no further updates planned.
