PRP: MCP Inspector CVE-2025-49596 Unauthenticated Remote Code Execution

[frkngksl]

• Identifier of the vulnerability: CVE-2025-49596
• Affected software: MCP Inspector
• Type of vulnerability: Authentication Bypass
• Requires authentication: No
• Language you would use for writing the plugin: Templated Plugin
• Resources:
  GHSA-7f8r-222p-6f5g
  https://github.com/ashiqrehan-21/MCP-Inspector-CVE-2025-49596/tree/main
  https://github.com/modelcontextprotocol/inspector/

In the above checker repository, it only checks for the authorization header in the response. I've verified that this is a valid and reliable indicator on multiple versions. However, I couldn't find any source that explains the real code execution. I'm planning to implement a template plugin that checks the vulnerability in the same way, if you are okay with that. However, I could research further about this to perform exact code execution.

[tooryx]

Hi @frkngksl,

Could you please check if you are able to reach command execution once you bypass the authentication? We would be interested to pursue with this if we can reach RCE.

~tooryx

[frkngksl]

Of course @tooryx , I'm on it.

[frkngksl]

Hi @tooryx ,

I confirmed that this is a Blind RCE. By using our Callback Server, we can validate it. May I start the development of it?

[github-actions]

Congratulations, your request has been approved! 🎉

This means that you can start working on this contribution.

❗ Please take a moment to fill the participation form

If you are unsure where to start, we have compiled a set of
useful guides in our documentation:

📖 https://google.github.io/tsunami-security-scanner/howto/

Unfortunately, our documentation is not yet complete for
fingerprints, Python plugins and weak credential detectors. For
these, we recommend looking at existing plugins.

📢 Read latest announcements on GitHub pages

~The Tsunami PRP team

[frkngksl]

Hi @tooryx , @maoning

I've sent the following PR regarding this issue.

#688