CVE-2025-64340

MEDIUM
2026-03-31 https://github.com/PrefectHQ/fastmcp GHSA-m8x7-r2rg-vh5g
6.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 22:32 vuln.today
Patch Released
Mar 31, 2026 - 22:32 nvd
Patch available
CVE Published
Mar 31, 2026 - 22:24 nvd
MEDIUM 6.7

Tags

Python Command Injection Apple Microsoft

Description

Server names containing shell metacharacters (e.g., `&`) can cause command injection on Windows when passed to `fastmcp install claude-code` or `fastmcp install gemini-cli`. These install paths use `subprocess.run()` with a list argument, but on Windows the target CLIs often resolve to `.cmd` wrappers that are executed through `cmd.exe`, which interprets metacharacters in the flattened command string. PoC: ```python from fastmcp import FastMCP mcp = FastMCP(name="test&calc") @mcp.tool def roll_dice(n_dice: int) -> list[int]: """Roll `n_dice` 6-sided dice and return the results.""" return [random.randint(1, 6) for _ in range(n_dice)] ``` ``` fastmcp install claude-code server.py # or: fastmcp install gemini-cli server.py ``` On Windows, this opens Calculator via the `&calc` in the server name. Impact: Arbitrary command execution with the privileges of the user running `fastmcp install`. Affects Windows hosts where the target CLI (one of claude, gemini) is installed as a `.cmd` wrapper. Does not affect macOS/Linux, and does not affect config-file-based install targets (cursor, goose, mcp-json). Patched in #3522 by validating server names to reject shell metacharacters.

Analysis

Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like & (e.g., fastmcp install claude-code with server name test&calc), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.

Technical Context

The vulnerability arises from unsafe command construction in fastmcp's install functionality on Windows. Although fastmcp uses `subprocess.run()` with a list argument (which is typically safe), the target CLIs (claude-code, gemini-cli) often resolve to `.cmd` wrapper scripts on Windows. When these wrappers are invoked, the operating system flattens the argument list into a single string and passes it to cmd.exe for execution. The cmd.exe shell interprets special metacharacters like `&` (command chaining), `|` (piping), `>` (redirection), and others, allowing injection of arbitrary commands. This is a classic shell metacharacter injection flaw (CWE-78) arising from the difference between subprocess list-based invocation semantics and cmd.exe's string-based interpretation. The vulnerability only manifests when the CLIs are installed as .cmd wrappers; direct Python executables or config-file-based install targets (cursor, goose, mcp-json) are unaffected. The root cause is insufficient input validation of the server name parameter before passing it to subprocess.

Affected Products

fastmcp (Python package; pip:fastmcp) versions prior to the patch commit in PR #3522 are affected. The vulnerability is specific to Windows systems where the target CLI (claude-code or gemini-cli) is installed as a .cmd wrapper script. Affected platforms include Windows 10 and later where fastmcp is used to install servers. The vulnerability does not affect fastmcp on macOS or Linux, nor does it affect config-file-based install targets (cursor, goose, mcp-json). See GitHub security advisory GHSA-m8x7-r2rg-vh5g at https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g for vendor acknowledgment.

Remediation

Update fastmcp to a patched version that includes PR #3522, which adds validation to reject server names containing shell metacharacters. Consult the GitHub security advisory (https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g) for the exact patched version number. Until patching is possible, Windows users should avoid running `fastmcp install` with untrusted server files and should verify that server names do not contain shell metacharacters (`&`, `|`, `>`, `<`, `;`, etc.). As a defense-in-depth measure, ensure that fastmcp is only run with the minimum required privileges and avoid running installation commands from untrusted sources.

Priority Score

34
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +34
POC: 0

Share

CVE-2025-64340 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy