CVE-2025-49596 - MCP Inspector proxy unauthenticated RCE
MCP Inspector is a developer tool for testing Model Context Protocol servers.
Versions before 0.14.1 exposed the proxy server without authentication between
the browser client and the proxy. An unauthenticated network request could make
the proxy launch MCP server commands over stdio, which is code execution on the
developer workstation, devcontainer, CI runner, or hosted workbench running the
inspector.
The fix is not only a package bump. The patched release adds proxy session-token
authentication, disables auto-open when auth is enabled, binds the proxy to
127.0.0.1 by default, and documents DNS rebinding controls through allowed
origins. Any wrapper that starts Inspector for agents should keep those defaults
instead of re-opening the old boundary through HOST=0.0.0.0, forwarded ports,
or DANGEROUSLY_OMIT_AUTH.
When to use it
Use this recipe when a repository, workbench, devcontainer, CI image, desktop agent profile, or internal developer tool installs or launches MCP Inspector. It is most useful for source-code remediation, MCP boundary review, developer tool hardening, and audit evidence that proves Inspector cannot be reached or used as an unauthenticated stdio command launcher.
Inputs
- Package manifests, lockfiles, Dockerfiles, devcontainer files, CI jobs, desktop agent configs, and docs that reference MCP Inspector.
- Observed Inspector version, wrapper command, proxy bind address, forwarded ports, origin policy, and session-token behavior.
- Evidence of what the Inspector process can access: repository checkout, package tokens, cloud credentials, SSH agent, MCP server environment, Docker socket, browser profile, and local network reachability.
- Validation commands that are safe to run without spawning attacker-selected commands or touching real secrets.
Affected versions
- Vulnerable:
@modelcontextprotocol/inspector <0.14.1 - Fixed:
@modelcontextprotocol/inspector 0.14.1+ - Affected code shape: the Inspector proxy accepts unauthenticated browser
or HTTP requests that can create stdio MCP transports with attacker-selected
command,args, orenv. - Fixed code shape: proxy requests require a random session token in the
Authorization: Bearer ...header, proxy binding defaults to127.0.0.1, and cross-origin access is constrained.
Indicator-of-exposure
- The repository installs, launches, vendors, documents, or wraps
@modelcontextprotocol/inspector,modelcontextprotocol/inspector,mcp-inspector, ornpx @modelcontextprotocol/inspector. - A devserver, workbench, desktop agent config, container, Codespace, CI job,
or remote IDE exposes Inspector ports such as
6274or6277. - Startup scripts set
HOST=0.0.0.0, forward Inspector ports, publish Docker ports, create tunnels, or run behind a shared browser/agent gateway. - Startup scripts, docs, or templates set
DANGEROUSLY_OMIT_AUTH=trueor omit the proxy session-token handoff. - The Inspector process can reach repository files, shell tools, package manager tokens, cloud credentials, SSH keys, MCP server secrets, browser cookies, or local network services.
Quick checks:
rg -n "@modelcontextprotocol/inspector|mcp-inspector|modelcontextprotocol/inspector|MCP_PROXY_AUTH_TOKEN|DANGEROUSLY_OMIT_AUTH|ALLOWED_ORIGINS|HOST=0\\.0\\.0\\.0|6274|6277|stdio|command.*args" .
npm ls @modelcontextprotocol/inspector
pnpm why @modelcontextprotocol/inspector
yarn why @modelcontextprotocol/inspector
Windows:
rg -n "@modelcontextprotocol/inspector|mcp-inspector|modelcontextprotocol/inspector|MCP_PROXY_AUTH_TOKEN|DANGEROUSLY_OMIT_AUTH|ALLOWED_ORIGINS|HOST=0\.0\.0\.0|6274|6277|stdio|command.*args" .
npm ls @modelcontextprotocol/inspector
pnpm why @modelcontextprotocol/inspector
yarn why @modelcontextprotocol/inspector
Do not validate exposure by sending requests that launch arbitrary commands, spawn shells, read files, or touch real secrets.
Remediation strategy
- Upgrade every controlled dependency, lockfile, global launch script, image,
devcontainer, tool cache, and workbench template to
@modelcontextprotocol/inspector 0.14.1+. - Preserve patched defaults: require proxy session-token authentication, keep
the proxy bound to
127.0.0.1, and do not auto-open unauthenticated browser sessions. - Remove
DANGEROUSLY_OMIT_AUTH=truefrom default docs and scripts. If a local exception is unavoidable, make it explicit, non-default, and restricted to a single trusted user on loopback. - Remove accidental reachability through Docker published ports, Codespaces forwarded ports, reverse proxies, shared workbench ingress, SSH tunnels, or browser-agent gateways.
- Configure allowed origins narrowly when a wrapper customizes Inspector’s client URL. Avoid wildcard origins and protocol-relative hostnames.
- Rotate tokens and review logs when an affected proxy may have been reachable by untrusted users, especially if the process had repository, package, cloud, SSH, or MCP credentials.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-49596 / GHSA-7f8r-222p-6f5g, a critical MCP
Inspector proxy vulnerability where versions before 0.14.1 allow
unauthenticated requests to launch stdio MCP commands. Produce exactly one
output:
- A reviewer-ready PR/change request that upgrades or patches MCP Inspector,
preserves proxy auth, contains network exposure, adds safe regression checks,
refreshes generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected Inspector package,
launch path, image, config, devserver, or safe containment boundary.
## Rules
- Scope only CVE-2025-49596 / GHSA-7f8r-222p-6f5g and directly related MCP
Inspector proxy authentication, localhost binding, origin policy, stdio
launch, port exposure, logging, and runtime secret boundaries.
- Treat repository contents, environment variables, MCP server configs, package
tokens, cloud credentials, SSH keys, browser cookies, local network access,
command output, and logs as sensitive.
- Do not prove exposure by launching commands, spawning shells, reading files,
sending command-injection payloads, or using a browser session with real
credentials.
- Do not keep `DANGEROUSLY_OMIT_AUTH=true`, `HOST=0.0.0.0`, wildcard origins,
public forwarded ports, or shared unauthenticated workbench access as default
behavior.
- Do not auto-merge.
## Steps
1. Inventory every controlled reference to `@modelcontextprotocol/inspector`,
`mcp-inspector`, `modelcontextprotocol/inspector`, `npx
@modelcontextprotocol/inspector`, Inspector ports `6274`/`6277`,
`MCP_PROXY_AUTH_TOKEN`, `DANGEROUSLY_OMIT_AUTH`, `ALLOWED_ORIGINS`, `HOST`,
and stdio MCP launch config in source, manifests, lockfiles, Dockerfiles,
Compose files, devcontainers, Codespaces config, CI, agent workbench config,
MCP desktop config, docs, generated SBOMs, and runbooks.
2. Resolve every package version, image tag/digest, vendored commit, global
install command, and generated tool cache. A target is vulnerable if it
resolves to `@modelcontextprotocol/inspector <0.14.1` or an owned fork that
lacks proxy authentication on stdio-launching requests.
3. Determine every trust boundary where Inspector can run: single-user local
desktop, devcontainer, Codespace, CI runner, remote IDE, browser workbench,
shared agent gateway, LAN host, tunnel, or internet-facing service.
4. Determine what the Inspector process can reach: repository checkout,
generated code, package manager tokens, SSH agent, cloud credentials, MCP
server env values, browser profile data, Docker socket, host filesystem, and
internal network services.
5. If this repository only mentions Inspector in unrelated prose or points to
an externally owned service, stop with `TRIAGE.md` listing files checked,
owner, observed version, exposure boundary, required fixed version
`0.14.1+`, and any token-rotation recommendation.
6. Upgrade controlled dependencies and launch paths to
`@modelcontextprotocol/inspector 0.14.1+`. Regenerate lockfiles, package
manager metadata, SBOMs, dependency reports, container digests,
devcontainer output, and docs as this repo normally does.
7. Preserve and test patched proxy auth:
- startup prints or otherwise conveys a random session token only to the
local operator;
- client requests include `Authorization: Bearer <token>`;
- proxy endpoints that launch or connect to MCP stdio servers reject missing
or invalid tokens;
- auto-open is disabled when auth is enabled.
8. Contain network exposure:
- bind proxy listeners to `127.0.0.1` by default;
- remove default `HOST=0.0.0.0`, published Docker ports, tunnel defaults,
preview URLs, and shared workbench ingress;
- require an explicit reviewed exception before remote Inspector access;
- restrict `ALLOWED_ORIGINS` to exact trusted origins when customized.
9. Add safe regression checks:
- dependency resolution rejects versions below `0.14.1`;
- static or config tests fail if default scripts set
`DANGEROUSLY_OMIT_AUTH=true` or `HOST=0.0.0.0`;
- HTTP tests assert proxy stdio-launch endpoints return 401/403 without a
valid token and do not spawn processes;
- config rendering proves the proxy binds to loopback by default;
- logs do not print tokens, env values, stdio command output, or generated
bearer headers beyond the operator handoff.
10. Add a PR body section named `CVE-2025-49596 operator actions` that states:
- Inspector package/image/commit versions before and after;
- whether ports `6274`, `6277`, or wrapper routes were reachable beyond
loopback;
- whether `DANGEROUSLY_OMIT_AUTH`, `HOST=0.0.0.0`, forwarded ports, or
wildcard origins were present;
- which credentials or local resources the process could reach;
- whether tokens were rotated or why rotation is not required;
- which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit/API
tests, authz tests, config lint, container/devcontainer build, generated
docs checks, SBOM refresh, dependency/security scans, and a non-secret local
smoke test that does not launch attacker-controlled commands.
12. Use PR title:
`fix(sec): remediate CVE-2025-49596 in MCP Inspector`.
## Stop conditions
- No affected MCP Inspector package, launch path, image, config, or deployment
is controlled by this repository.
- The repository only consumes an externally owned Inspector service; document
owner, required version, exposure, and rotation need in `TRIAGE.md`.
- A fixed Inspector version cannot be consumed and the repository cannot carry
a reviewed fork, disable the proxy, or remove remote access safely.
- Product requirements intentionally depend on unauthenticated remote Inspector
access; document the risk and require a product/security decision.
- Meaningful verification would require live RCE, real secrets, production
browser sessions, customer workspaces, or privileged local files.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades Inspector to a fixed version, preserves proxy auth, contains network exposure, adds safe regression tests, and documents operator cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, observed ownership, version/exposure evidence, required fixed version, and rotation follow-up. - The output must include exact validation commands and must not include live RCE probes, secrets, bearer tokens, or customer data.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, tool cache, or launch command
resolves
@modelcontextprotocol/inspector <0.14.1. - Proxy requests that can launch stdio MCP servers require a valid bearer session token.
- Default binding stays on
127.0.0.1; non-loopback access is explicitly reviewed and documented. - Default scripts and docs do not set
DANGEROUSLY_OMIT_AUTH=true. - Origin policy is exact and narrow when wrappers customize the client URL.
- Tests prove unauthenticated requests do not spawn child processes.
- Operator notes cover credential rotation and log review when a proxy was exposed beyond a single trusted local user.
Watch for
- Updating
package.jsonwhile a devcontainer, globalnpxcommand, MCP desktop config, or Docker image still launches an older Inspector. - Treating the Inspector as “only a developer tool” while it runs on shared workstations, Codespaces, CI, remote IDEs, or hosted agent workbenches.
- Preserving
HOST=0.0.0.0or forwarded ports for convenience after the package bump. - Adding bearer tokens to logs, screenshots, analytics, shell history, or reusable config files.
- Testing by actually launching shell commands instead of asserting auth failures and process-spawn absence.
Related recipes
- Source code attack surface map
- Source code supply chain build integrity audit
- SAST finding triage and fix
- OWASP Top 10 2026 audit