GHSA-rcfx-77hg-w2wv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rcfx-77hg-w2wv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-rcfx-77hg-w2wv/GHSA-rcfx-77hg-w2wv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rcfx-77hg-w2wv
- Published
- 2025-12-26T23:20:50Z
- Modified
- 2025-12-26T23:27:27.257304Z
- Summary
- FastMCP updated to MCP 1.23+ due to CVE-2025-66416
- Details
-
There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416.
FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-12-26T23:20:50Z" }- References
Affected packages
PyPI / fastmcp
Package
- Name
- fastmcp
- View open source insights on deps.dev
- Purl
- pkg:pypi/fastmcp
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.14.0
Affected versions
0.*
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.4.1
1.*
1.0
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0rc1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.6
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0rc1
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.13.0rc1
2.13.0rc2
2.13.0rc3
2.13.0
2.13.0.1
2.13.0.2
2.13.1
2.13.2
2.13.3