CVE-2025-62801 in fastmcp
Summary
by MITRE • 10/29/2025
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fixed in 2.13.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/29/2025
The vulnerability identified as CVE-2025-62801 affects FastMCP, a framework designed for building MCP applications that operates on Windows hosts. This command injection flaw exists in versions prior to 2.13.0 and specifically targets the server_name field within the MCP framework. The vulnerability represents a critical security weakness that allows unauthenticated attackers to execute arbitrary operating system commands on affected systems. The flaw manifests when the application processes user-controlled input through the server_name parameter, which is then used in system calls without proper sanitization or validation.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the FastMCP framework's handling of the server_name field. When an attacker can influence this parameter, the framework fails to properly escape or filter special characters that could be interpreted as command delimiters or shell metacharacters. This allows malicious input to be executed as legitimate system commands, effectively providing attackers with arbitrary code execution capabilities on the underlying Windows host. The vulnerability specifically impacts systems running fastmcp install cursor, which suggests the flaw is triggered during the installation or cursor management processes within the framework.
The operational impact of this vulnerability is severe and multifaceted across enterprise environments. An attacker exploiting this command injection flaw could potentially gain full system control over affected Windows hosts, allowing for privilege escalation, data exfiltration, system compromise, and lateral movement within the network. The vulnerability's accessibility to any attacker who can influence the server_name field eliminates the need for authentication, making it particularly dangerous in environments where the framework is exposed to untrusted networks or user inputs. This could result in complete system compromise, data loss, and unauthorized access to sensitive organizational resources.
Security professionals should immediately upgrade to FastMCP version 2.13.0 or later to remediate this vulnerability, as this release contains the necessary patches and input validation improvements. Organizations should also implement network segmentation to limit exposure of FastMCP installations to untrusted networks, and consider deploying intrusion detection systems to monitor for suspicious command execution patterns. The vulnerability aligns with CWE-77 and CWE-94 categories, representing command injection and code injection flaws respectively, and maps to ATT&CK techniques including T1059.001 for command and script interpreter and T1068 for exploit for privilege escalation. Additional mitigations include implementing proper input validation at all application layers, using least privilege principles for framework installations, and conducting regular security assessments of MCP applications to identify similar vulnerabilities in custom implementations.