CVE-2025-49596 - MCP Inspector proxy unauthenticated RCE

MCP Inspector is a developer tool for testing Model Context Protocol servers. Versions before 0.14.1 exposed the proxy server without authentication between the browser client and the proxy. An unauthenticated network request could make the proxy launch MCP server commands over stdio, which is code execution on the developer workstation, devcontainer, CI runner, or hosted workbench running the inspector.

The fix is not only a package bump. The patched release adds proxy session-token authentication, disables auto-open when auth is enabled, binds the proxy to 127.0.0.1 by default, and documents DNS rebinding controls through allowed origins. Any wrapper that starts Inspector for agents should keep those defaults instead of re-opening the old boundary through HOST=0.0.0.0, forwarded ports, or DANGEROUSLY_OMIT_AUTH.

When to use it

Use this recipe when a repository, workbench, devcontainer, CI image, desktop agent profile, or internal developer tool installs or launches MCP Inspector. It is most useful for source-code remediation, MCP boundary review, developer tool hardening, and audit evidence that proves Inspector cannot be reached or used as an unauthenticated stdio command launcher.

Inputs

  • Package manifests, lockfiles, Dockerfiles, devcontainer files, CI jobs, desktop agent configs, and docs that reference MCP Inspector.
  • Observed Inspector version, wrapper command, proxy bind address, forwarded ports, origin policy, and session-token behavior.
  • Evidence of what the Inspector process can access: repository checkout, package tokens, cloud credentials, SSH agent, MCP server environment, Docker socket, browser profile, and local network reachability.
  • Validation commands that are safe to run without spawning attacker-selected commands or touching real secrets.

Affected versions

  • Vulnerable: @modelcontextprotocol/inspector <0.14.1
  • Fixed: @modelcontextprotocol/inspector 0.14.1+
  • Affected code shape: the Inspector proxy accepts unauthenticated browser or HTTP requests that can create stdio MCP transports with attacker-selected command, args, or env.
  • Fixed code shape: proxy requests require a random session token in the Authorization: Bearer ... header, proxy binding defaults to 127.0.0.1, and cross-origin access is constrained.

Indicator-of-exposure

  • The repository installs, launches, vendors, documents, or wraps @modelcontextprotocol/inspector, modelcontextprotocol/inspector, mcp-inspector, or npx @modelcontextprotocol/inspector.
  • A devserver, workbench, desktop agent config, container, Codespace, CI job, or remote IDE exposes Inspector ports such as 6274 or 6277.
  • Startup scripts set HOST=0.0.0.0, forward Inspector ports, publish Docker ports, create tunnels, or run behind a shared browser/agent gateway.
  • Startup scripts, docs, or templates set DANGEROUSLY_OMIT_AUTH=true or omit the proxy session-token handoff.
  • The Inspector process can reach repository files, shell tools, package manager tokens, cloud credentials, SSH keys, MCP server secrets, browser cookies, or local network services.

Quick checks:

rg -n "@modelcontextprotocol/inspector|mcp-inspector|modelcontextprotocol/inspector|MCP_PROXY_AUTH_TOKEN|DANGEROUSLY_OMIT_AUTH|ALLOWED_ORIGINS|HOST=0\\.0\\.0\\.0|6274|6277|stdio|command.*args" .
npm ls @modelcontextprotocol/inspector
pnpm why @modelcontextprotocol/inspector
yarn why @modelcontextprotocol/inspector

Windows:

rg -n "@modelcontextprotocol/inspector|mcp-inspector|modelcontextprotocol/inspector|MCP_PROXY_AUTH_TOKEN|DANGEROUSLY_OMIT_AUTH|ALLOWED_ORIGINS|HOST=0\.0\.0\.0|6274|6277|stdio|command.*args" .
npm ls @modelcontextprotocol/inspector
pnpm why @modelcontextprotocol/inspector
yarn why @modelcontextprotocol/inspector

Do not validate exposure by sending requests that launch arbitrary commands, spawn shells, read files, or touch real secrets.

Remediation strategy

  • Upgrade every controlled dependency, lockfile, global launch script, image, devcontainer, tool cache, and workbench template to @modelcontextprotocol/inspector 0.14.1+.
  • Preserve patched defaults: require proxy session-token authentication, keep the proxy bound to 127.0.0.1, and do not auto-open unauthenticated browser sessions.
  • Remove DANGEROUSLY_OMIT_AUTH=true from default docs and scripts. If a local exception is unavoidable, make it explicit, non-default, and restricted to a single trusted user on loopback.
  • Remove accidental reachability through Docker published ports, Codespaces forwarded ports, reverse proxies, shared workbench ingress, SSH tunnels, or browser-agent gateways.
  • Configure allowed origins narrowly when a wrapper customizes Inspector’s client URL. Avoid wildcard origins and protocol-relative hostnames.
  • Rotate tokens and review logs when an affected proxy may have been reachable by untrusted users, especially if the process had repository, package, cloud, SSH, or MCP credentials.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2025-49596 / GHSA-7f8r-222p-6f5g, a critical MCP
Inspector proxy vulnerability where versions before 0.14.1 allow
unauthenticated requests to launch stdio MCP commands. Produce exactly one
output:

- A reviewer-ready PR/change request that upgrades or patches MCP Inspector,
  preserves proxy auth, contains network exposure, adds safe regression checks,
  refreshes generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected Inspector package,
  launch path, image, config, devserver, or safe containment boundary.

## Rules

- Scope only CVE-2025-49596 / GHSA-7f8r-222p-6f5g and directly related MCP
  Inspector proxy authentication, localhost binding, origin policy, stdio
  launch, port exposure, logging, and runtime secret boundaries.
- Treat repository contents, environment variables, MCP server configs, package
  tokens, cloud credentials, SSH keys, browser cookies, local network access,
  command output, and logs as sensitive.
- Do not prove exposure by launching commands, spawning shells, reading files,
  sending command-injection payloads, or using a browser session with real
  credentials.
- Do not keep `DANGEROUSLY_OMIT_AUTH=true`, `HOST=0.0.0.0`, wildcard origins,
  public forwarded ports, or shared unauthenticated workbench access as default
  behavior.
- Do not auto-merge.

## Steps

1. Inventory every controlled reference to `@modelcontextprotocol/inspector`,
   `mcp-inspector`, `modelcontextprotocol/inspector`, `npx
   @modelcontextprotocol/inspector`, Inspector ports `6274`/`6277`,
   `MCP_PROXY_AUTH_TOKEN`, `DANGEROUSLY_OMIT_AUTH`, `ALLOWED_ORIGINS`, `HOST`,
   and stdio MCP launch config in source, manifests, lockfiles, Dockerfiles,
   Compose files, devcontainers, Codespaces config, CI, agent workbench config,
   MCP desktop config, docs, generated SBOMs, and runbooks.
2. Resolve every package version, image tag/digest, vendored commit, global
   install command, and generated tool cache. A target is vulnerable if it
   resolves to `@modelcontextprotocol/inspector <0.14.1` or an owned fork that
   lacks proxy authentication on stdio-launching requests.
3. Determine every trust boundary where Inspector can run: single-user local
   desktop, devcontainer, Codespace, CI runner, remote IDE, browser workbench,
   shared agent gateway, LAN host, tunnel, or internet-facing service.
4. Determine what the Inspector process can reach: repository checkout,
   generated code, package manager tokens, SSH agent, cloud credentials, MCP
   server env values, browser profile data, Docker socket, host filesystem, and
   internal network services.
5. If this repository only mentions Inspector in unrelated prose or points to
   an externally owned service, stop with `TRIAGE.md` listing files checked,
   owner, observed version, exposure boundary, required fixed version
   `0.14.1+`, and any token-rotation recommendation.
6. Upgrade controlled dependencies and launch paths to
   `@modelcontextprotocol/inspector 0.14.1+`. Regenerate lockfiles, package
   manager metadata, SBOMs, dependency reports, container digests,
   devcontainer output, and docs as this repo normally does.
7. Preserve and test patched proxy auth:
   - startup prints or otherwise conveys a random session token only to the
     local operator;
   - client requests include `Authorization: Bearer <token>`;
   - proxy endpoints that launch or connect to MCP stdio servers reject missing
     or invalid tokens;
   - auto-open is disabled when auth is enabled.
8. Contain network exposure:
   - bind proxy listeners to `127.0.0.1` by default;
   - remove default `HOST=0.0.0.0`, published Docker ports, tunnel defaults,
     preview URLs, and shared workbench ingress;
   - require an explicit reviewed exception before remote Inspector access;
   - restrict `ALLOWED_ORIGINS` to exact trusted origins when customized.
9. Add safe regression checks:
   - dependency resolution rejects versions below `0.14.1`;
   - static or config tests fail if default scripts set
     `DANGEROUSLY_OMIT_AUTH=true` or `HOST=0.0.0.0`;
   - HTTP tests assert proxy stdio-launch endpoints return 401/403 without a
     valid token and do not spawn processes;
   - config rendering proves the proxy binds to loopback by default;
   - logs do not print tokens, env values, stdio command output, or generated
     bearer headers beyond the operator handoff.
10. Add a PR body section named `CVE-2025-49596 operator actions` that states:
    - Inspector package/image/commit versions before and after;
    - whether ports `6274`, `6277`, or wrapper routes were reachable beyond
      loopback;
    - whether `DANGEROUSLY_OMIT_AUTH`, `HOST=0.0.0.0`, forwarded ports, or
      wildcard origins were present;
    - which credentials or local resources the process could reach;
    - whether tokens were rotated or why rotation is not required;
    - which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit/API
    tests, authz tests, config lint, container/devcontainer build, generated
    docs checks, SBOM refresh, dependency/security scans, and a non-secret local
    smoke test that does not launch attacker-controlled commands.
12. Use PR title:
    `fix(sec): remediate CVE-2025-49596 in MCP Inspector`.

## Stop conditions

- No affected MCP Inspector package, launch path, image, config, or deployment
  is controlled by this repository.
- The repository only consumes an externally owned Inspector service; document
  owner, required version, exposure, and rotation need in `TRIAGE.md`.
- A fixed Inspector version cannot be consumed and the repository cannot carry
  a reviewed fork, disable the proxy, or remove remote access safely.
- Product requirements intentionally depend on unauthenticated remote Inspector
  access; document the risk and require a product/security decision.
- Meaningful verification would require live RCE, real secrets, production
  browser sessions, customer workspaces, or privileged local files.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Inspector to a fixed version, preserves proxy auth, contains network exposure, adds safe regression tests, and documents operator cleanup.
  • Or a TRIAGE.md file that lists inspected files, observed ownership, version/exposure evidence, required fixed version, and rotation follow-up.
  • The output must include exact validation commands and must not include live RCE probes, secrets, bearer tokens, or customer data.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, tool cache, or launch command resolves @modelcontextprotocol/inspector <0.14.1.
  • Proxy requests that can launch stdio MCP servers require a valid bearer session token.
  • Default binding stays on 127.0.0.1; non-loopback access is explicitly reviewed and documented.
  • Default scripts and docs do not set DANGEROUSLY_OMIT_AUTH=true.
  • Origin policy is exact and narrow when wrappers customize the client URL.
  • Tests prove unauthenticated requests do not spawn child processes.
  • Operator notes cover credential rotation and log review when a proxy was exposed beyond a single trusted local user.

Watch for

  • Updating package.json while a devcontainer, global npx command, MCP desktop config, or Docker image still launches an older Inspector.
  • Treating the Inspector as “only a developer tool” while it runs on shared workstations, Codespaces, CI, remote IDEs, or hosted agent workbenches.
  • Preserving HOST=0.0.0.0 or forwarded ports for convenience after the package bump.
  • Adding bearer tokens to logs, screenshots, analytics, shell history, or reusable config files.
  • Testing by actually launching shell commands instead of asserting auth failures and process-spawn absence.

References