Python
CVE-2025-64340
MEDIUM
Severity by source
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 23 pypi packages depend on fastmcp (22 direct, 1 indirect)
Ecosystem-wide dependent count for version 3.2.0.
DescriptionGitHub Advisory
Server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string.
PoC:
from fastmcp import FastMCP
mcp = FastMCP(name="test&calc")
@mcp.tool
def roll_dice(n_dice: int) -> list[int]:
"""Roll `n_dice` 6-sided dice and return the results."""
return [random.randint(1, 6) for _ in range(n_dice)]fastmcp install claude-code server.py
# or: fastmcp install gemini-cli server.pyOn Windows, this opens Calculator via the &calc in the server name.
Impact: Arbitrary command execution with the privileges of the user running fastmcp install. Affects Windows hosts where the target CLI (one of claude, gemini) is installed as a .cmd wrapper. Does not affect macOS/Linux, and does not affect config-file-based install targets (cursor, goose, mcp-json).
Patched in #3522 by validating server names to reject shell metacharacters.
AnalysisAI
Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like & (e.g., fastmcp install claude-code with server name test&calc), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.
Technical ContextAI
The vulnerability arises from unsafe command construction in fastmcp's install functionality on Windows. Although fastmcp uses subprocess.run() with a list argument (which is typically safe), the target CLIs (claude-code, gemini-cli) often resolve to .cmd wrapper scripts on Windows. When these wrappers are invoked, the operating system flattens the argument list into a single string and passes it to cmd.exe for execution. The cmd.exe shell interprets special metacharacters like & (command chaining), | (piping), > (redirection), and others, allowing injection of arbitrary commands. This is a classic shell metacharacter injection flaw (CWE-78) arising from the difference between subprocess list-based invocation semantics and cmd.exe's string-based interpretation. The vulnerability only manifests when the CLIs are installed as .cmd wrappers; direct Python executables or config-file-based install targets (cursor, goose, mcp-json) are unaffected. The root cause is insufficient input validation of the server name parameter before passing it to subprocess.
RemediationAI
Update fastmcp to a patched version that includes PR #3522, which adds validation to reject server names containing shell metacharacters. Consult the GitHub security advisory (https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g) for the exact patched version number. Until patching is possible, Windows users should avoid running fastmcp install with untrusted server files and should verify that server names do not contain shell metacharacters (&, |, >, <, ;, etc.). As a defense-in-depth measure, ensure that fastmcp is only run with the minimum required privileges and avoid running installation commands from untrusted sources.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m8x7-r2rg-vh5g