CVE-2025-58444 | THREATINT

Description

The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. This could be leveraged to interact directly with the inspector proxy to trigger arbitrary command execution. Users are advised to update to 0.16.6 to resolve this issue.

PUBLISHED Reserved 2025-09-01 | Published 2025-09-08 | Updated 2025-09-09 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page

Product status

< 0.16.6

affected

References

github.com/...pector/security/advisories/GHSA-g9hg-qhmf-q45m

github.com/...ommit/650f3090d26344a672026b737d81586595bb1f60

cve.org (CVE-2025-58444)

nvd.nist.gov (CVE-2025-58444)

Download JSON