Skip to main content

Python CVE-2025-64340

MEDIUM
OS Command Injection (CWE-78)
2026-03-31 https://github.com/PrefectHQ/fastmcp GHSA-m8x7-r2rg-vh5g
6.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 31, 2026 - 22:32 vuln.today
Patch released
Mar 31, 2026 - 22:32 nvd
Patch available
CVE Published
Mar 31, 2026 - 22:24 nvd
MEDIUM 6.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 23 pypi packages depend on fastmcp (22 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.2.0.

DescriptionGitHub Advisory

Server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string.

PoC:

python
from fastmcp import FastMCP

mcp = FastMCP(name="test&calc")

@mcp.tool
def roll_dice(n_dice: int) -> list[int]:
    """Roll `n_dice` 6-sided dice and return the results."""
    return [random.randint(1, 6) for _ in range(n_dice)]
fastmcp install claude-code server.py
# or: fastmcp install gemini-cli server.py

On Windows, this opens Calculator via the &calc in the server name.

Impact: Arbitrary command execution with the privileges of the user running fastmcp install. Affects Windows hosts where the target CLI (one of claude, gemini) is installed as a .cmd wrapper. Does not affect macOS/Linux, and does not affect config-file-based install targets (cursor, goose, mcp-json).

Patched in #3522 by validating server names to reject shell metacharacters.

AnalysisAI

Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like & (e.g., fastmcp install claude-code with server name test&calc), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.

Technical ContextAI

The vulnerability arises from unsafe command construction in fastmcp's install functionality on Windows. Although fastmcp uses subprocess.run() with a list argument (which is typically safe), the target CLIs (claude-code, gemini-cli) often resolve to .cmd wrapper scripts on Windows. When these wrappers are invoked, the operating system flattens the argument list into a single string and passes it to cmd.exe for execution. The cmd.exe shell interprets special metacharacters like & (command chaining), | (piping), > (redirection), and others, allowing injection of arbitrary commands. This is a classic shell metacharacter injection flaw (CWE-78) arising from the difference between subprocess list-based invocation semantics and cmd.exe's string-based interpretation. The vulnerability only manifests when the CLIs are installed as .cmd wrappers; direct Python executables or config-file-based install targets (cursor, goose, mcp-json) are unaffected. The root cause is insufficient input validation of the server name parameter before passing it to subprocess.

RemediationAI

Update fastmcp to a patched version that includes PR #3522, which adds validation to reject server names containing shell metacharacters. Consult the GitHub security advisory (https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g) for the exact patched version number. Until patching is possible, Windows users should avoid running fastmcp install with untrusted server files and should verify that server names do not contain shell metacharacters (&, |, >, <, ;, etc.). As a defense-in-depth measure, ensure that fastmcp is only run with the minimum required privileges and avoid running installation commands from untrusted sources.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2025-64340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy