- Anthropics MCP Inspector Project carried an error that enabled miscreants to steal sensitive data, release malware
- To abuse it is hackers need to link it with a decades old browser error
- The error was fixed in mid -June 2025 but users should still be on their guard
The Anthropic Model Context Protocol (MCP) Inspector Project carried a vulnerability of critical difficulty that could have enabled threat actors to mount Remote Code Execution (RCE) attacks against host units, experts have warned.
Best known for its Claude Conversational AI model developed Anthropic MCP, an open source standard that facilitates secure, two-way communication between AI systems and external data sources. It also built inspector, a separate open source tool that allows developers to test and debug MCP servers.
Now it was reported that an error in the inspector could have been used to steal sensitive data, drop malware and move laterally over target networks.
Patching of the error
Apparently, this is the first vulnerability at the critical level of Anthropics MCP ecosystem, and one that opens a whole new class of attack.
The error is traced as CVE-2025-49596 and has a severity of 9.4/10-critical.
“This is one of the first critical RCEs in Anthropics MCP ecosystem that exposes a new class of browser-based attacks against AI developing tools,” explained Avi Lumelsky of Oligo Security.
“With code execution on a developer’s machine can attack stealing data, install back doors and move laterally over networks -highlights serious risks to AI -Teams, Open Source projects and business recorders who depend on MCP.”
To abuse this error, attackers need to link it with “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. AD. A two-year-old vulnerability in web browsers that enables malicious sites to break local networks, Hacker the news explains, quotes Lumelsky.
By creating a malicious site and then sending a request to Localhost services running on a MCP server, could attack raising arbitrary commands on a developer’s machine.
Anthropic was notified of the error in April this year and returned with a patch on June 13 and pushed the tool for version 0.14.1. Now a session token is added to the proxy server as well as the value of origin, making the attacks the moot.
