CVE-2025-64340

# PoC Concept for CVE-2025-64340 # Demonstrates how metacharacters in server names can lead to command injection on Windows. import subprocess # Simulating the vulnerable behavior in FastMCP prior to 3.2.0 # The server name contains a shell metacharacter to inject a command. malicious_server_name = "legit_server & calc.exe" # On Windows, subprocess.run with a list argument calling a .cmd file # often invokes cmd.exe, which parses the '&' character. # 'cmd' represents a hypothetical wrapper like claude-code.cmd or gemini-cli.cmd try: # This simulates the internal call made by FastMCP install print(f"Attempting to install server: {malicious_server_name}") # In a real scenario, this would execute the installed CLI tool # command = ["cmd", "/c", "echo", "Installing", malicious_server_name] # subprocess.run(command, shell=False) # Note: Actual exploitation requires the specific vulnerable binary context. # The key is that cmd.exe interprets the '&' as a command separator. print("If vulnerable, 'calc.exe' would execute after the legit command.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2025-64340", "sourceIdentifier": "[email protected]", "published": "2026-04-03T16:16:23.010", "lastModified": "2026-04-21T01:09:14.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jlowin:fastmcp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.2.0", "matchCriteriaId": "4247F36F-7D37-47DF-A475-E607F1BAD799"}]}]}], "references": [{"url": "https://github.com/PrefectHQ/fastmcp/pull/3522", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}