N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-58444

GHSA ID

GHSA-g9hg-qhmf-q45m

EPSS Score

CWE

CWE-79

Published

9/8/2025

Updated

9/8/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58444

CVE-2025-58444: MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server

An XSS issue was reported in the MCP Inspector local development tool when connecting to an untrusted remote MCP server with a malicious redirect URI. This could be leveraged to interact directly with the inspector proxy to trigger arbitrary command execution. Users are advised to update to 0.16.6 to resolve this issue.

Thank you to the following researchers for their reports and contributions:

Raymond (Veria Labs)
Gavin Zhong, superboyzjc@gmail.com & Shuyang Wang, swang@obsidiansecurity.com.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-58444

GHSA ID

GHSA-g9hg-qhmf-q45m

EPSS Score

CWE

CWE-79

Published

9/8/2025

Updated

9/8/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@modelcontextprotocol/inspector	npm	< 0.16.6	0.16.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue in the MCP Inspector's OAuth flow, which can be escalated to arbitrary command execution. The root cause is the failure to properly validate the authorizationUrl received from a potentially malicious remote MCP server before using it in client-side redirects or links.

The analysis of the patch commit 650f3090d26344a672026b737d81586595bb1f60 reveals several locations where this untrusted URL was handled insecurely:

In AuthDebugger.tsx, a useEffect hook triggered an automatic redirect using window.location.href without any validation.
In OAuthFlowProgress.tsx, the URL was used directly in an <a> tag's href attribute and in a window.open call, both of which are vulnerable to javascript: URIs if a user clicks them.
In auth.ts, the InspectorOAuthClientProvider.redirectToAuthorization method had a weak protocol check before redirecting, which was insufficient.

A malicious server could provide an authorizationUrl with a javascript: scheme. When the MCP Inspector client processed this URL, it would execute the embedded script in the user's browser. According to the advisory, this XSS could then be used to interact with the inspector's proxy, leading to arbitrary command execution on the user's machine.

The fix involves introducing a new centralized utility function, validateRedirectUrl, which strictly ensures that any URL used for redirection has either an http: or https: protocol. This function is now called in all the previously vulnerable locations before the URL is used, effectively mitigating the XSS threat.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XSS issu* w*s r*port** in t** M*P Insp**tor lo**l **v*lopm*nt tool w**n *onn**tin* to *n untrust** r*mot* M*P s*rv*r wit* * m*li*ious r**ir**t URI. T*is *oul* ** l*v*r**** to int*r**t *ir**tly wit* t** insp**tor proxy to tri***r *r*itr*ry *omm*n*

Reasoning

T** vuln*r**ility is * *ross-Sit* S*riptin* (XSS) issu* in t** M*P Insp**tor's O*ut* *low, w*i** **n ** *s**l*t** to *r*itr*ry *omm*n* *x**ution. T** root **us* is t** **ilur* to prop*rly v*li**t* t** `*ut*oriz*tionUrl` r***iv** *rom * pot*nti*lly m*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-58444: MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI