Chained with a legacy flaw for RCE : Oligo demonstrated that the attack vector combines two independent flaws. Attackers could chain the legacy “0.0.0.0-day” browser flaw, which lets web pages send requests to 0.0.0.0 address that browsers treat like localhost, to a CSRF-style attack leveraging the Inspector proxy’s vulnerable “/sse” endpoint that accepts commands via query strings over stdio. The CSRF can escalate to an RCE when the attacker uses the flaw to dispatch malicious requests. “When an attacker can craft a request to the MCP inspector from a public domain JavaScript context, that request can trigger arbitrary commands on the victim’s machine, effectively gaining control over it,” Lumelsky said. The Oligo research highlights that default configurations could unintentionally expose MCP servers to attacks, potentially giving threat actors a backdoor into developers’ machines. While the 0.0.0.0-day remains unpatched in Chromium and Firefox even after a year since discovery, the MCP flaw has been promptly fixed by Anthropic, owing to its critical severity (CVSS 9.4 out of 10). An NVD advisory urges customers to immediately upgrade all vulnerable versions (below 0.14.1).
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4016090/critical-rce-flaw-in-anthropics-mcp-inspector-exposes-developer-machines-to-remote-attacks.html
