- Anthropic’s MCP Inspector project carried a flaw that allowed miscreants to steal sensitive data, drop malware
- To abuse it, hackers need to chain it with a decades-old browser bug
- The flaw was fixed in mid-June 2025, but users should still be on their guard
The Anthropic Model Context Protocol (MCP) Inspector project carried a critical-severity vulnerability which could have allowed threat actors to mount remote code execution (RCE) attacks against host devices, experts have warned.
Best known for its Claude conversational AI model, Anthropic developed MCP, an open source standard that facilitates secure, two-way communication between AI systems and external data sources. It also built Inspector, a separate open source tool that allows developers to test and debug MCP servers.
Now, it was reported that a flaw in Inspector could have been used to steal sensitive data, drop malware, and move laterally across target networks.
Patching the flaw
Apparently, this is the first critical-level vulnerability in Anthropic’s MCP ecosystem, and one that opens up an entire new class of attacks.
The flaw is tracked as CVE-2025-49596, and has a severity score of 9.4/10 – critical.
“This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools,” Avi Lumelsky from Oligo Security explained.
“With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks – highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP.”
To abuse this flaw, attackers need to chain it with “0.0.0.0. Day”, a two-decade-old vulnerability in web browsers that enable malicious websites to breach local networks, The Hacker News explains, citing Lumelsky.
By creating a malicious website, and then sending a request to localhost services running on an MCP server, attackers could run arbitrary commands on a developer’s machine.
Anthropic was notified about the flaw in April this year, and came back with a patch on June 13, pushing the tool to version 0.14.1. Now, a session token is added to the proxy server, as well as origin validation, rendering the attacks moot.
Leave a comment