GHSA-rj5c-58rq-j5g5

Source

https://github.com/advisories/GHSA-rj5c-58rq-j5g5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-rj5c-58rq-j5g5/GHSA-rj5c-58rq-j5g5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rj5c-58rq-j5g5

Aliases

CVE-2025-62801

Published

2025-10-29T15:39:03Z

Modified

2025-10-29T15:52:48.354703Z

Severity

5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

Details

Summary

A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor

Details

generatecursordeeplink(servername, …) embeds servername verbatim in a cursor://…?name= query string.
open_deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start <deeplink>.
Any cmd metacharacter inside server_name (&, |, >, ^, …) escapes the start command and spawns an attacker-chosen process.

PoC

server.py


import random
from fastmcp import FastMCP

mcp = FastMCP(name="test&calc")

@mcp.tool
def roll_dice(n_dice: int) -> list[int]:
    """Roll `n_dice` 6-sided dice and return the results."""
    return [random.randint(1, 6) for _ in range(n_dice)]

if __name__ == "__main__":
    mcp.run()

then run in the terminal: fastmcp install cursor server.py

Impact

OS Command / Shell Injection (CWE-78) Every Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.

Database specific

{
    "github_reviewed_at": "2025-10-29T15:39:03Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": "2025-10-28T22:15:37Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / fastmcp

Package

Name: fastmcp; View open source insights on deps.dev
Purl: pkg:pypi/fastmcp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4.0

0.4.1

1.*

1.0

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.3.0rc1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.11.0

2.11.1

2.11.2

2.11.3

2.12.0rc1

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0rc1

2.13.0rc2

2.13.0rc3