CVE-2025-58444: MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
(updated )
An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector connects to an untrusted server, a crafted redirect can inject script into the Inspector context and, via the built-in proxy, be leveraged to trigger arbitrary command execution on the developer machine. Version 0.16.6 hardens URL handling/validation and prevents script execution.
Thank you to the following researchers for their reports and contributions:
- Raymond (Veria Labs)
- Gavin Zhong, superboyzjc@gmail.com & Shuyang Wang, swang@obsidiansecurity.com.
References
- github.com/advisories/GHSA-g9hg-qhmf-q45m
- github.com/modelcontextprotocol/inspector
- github.com/modelcontextprotocol/inspector/commit/650f3090d26344a672026b737d81586595bb1f60
- github.com/modelcontextprotocol/inspector/security/advisories/GHSA-g9hg-qhmf-q45m
- nvd.nist.gov/vuln/detail/CVE-2025-58444
- www.npmjs.com/package/@modelcontextprotocol/inspector/v/0.16.6
Code Behaviors & Features
Detect and mitigate CVE-2025-58444 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →