6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66454

GHSA ID

GHSA-g2jx-37x6-6438

EPSS Score

CWE

CWE-284

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66454

CVE-2025-66454: arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary

The arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials.

Anyone following the official quick-start guide is vulnerable unless they manually override ARCADE_WORKER_SECRET.

Details

The documented method for launching an HTTP MCP server (python server.py http) implicitly sets the worker secret to the hardcoded default "dev":

ArcadeSettings.server_secret defaults to "dev" (libs/arcade-mcp-server/arcade_mcp_server/settings.py:129–158)

create_arcade_mcp() passes this value directly to FastAPIWorker without validation (libs/arcade-mcp-server/arcade_mcp_server/worker.py:118–188)

BaseWorker._set_secret() accepts this value and does not enforce rotation (libs/arcade-serve/arcade_serve/core/base.py:42–83)

Because the worker’s signing key is constant and publicly documented, attackers can trivially generate valid HS256 JWTs:

The FastAPI worker auth middleware (arcade_serve/fastapi/auth.py) trusts any JWT signed with the worker secret.

The core auth layer (arcade_serve/core/auth.py) does not distinguish forged tokens from legitimate ones.

The official quick-start instructions (README.md:164–190) demonstrate launching an MCP server without mentioning worker-secret rotation. Users are told how to define tool secrets in .env, but not that the worker’s authentication key must be changed.

As a result, servers deployed following the documented workflow expose all /worker/* endpoints to anyone capable of generating a simple HS256 token using the known key.

This CVE was resolved by https://github.com/ArcadeAI/arcade-mcp/pull/691

PoC

Start the server using the official guide https://docs.arcade.dev/en/home/build-tools/create-a-mcp-server

Verify that unauthenticated access is rejected (expected)

curl -s -D - http://127.0.0.1:8000/worker/tools
# → 403 Forbidden

Forge a valid HS256 token using the hardcoded default secret "dev"

import jwt
print(jwt.encode({'ver': '1', 'aud': 'worker'}, 'dev', algorithm='HS256'))

Use the forged token to bypass authentication

curl -s -D - \
  -H "Authorization: Bearer $(cat /tmp/forged_token.txt)" \
  http://127.0.0.1:8000/worker/tools

Result: The server responds 200 OK with the full tool catalog and allows invocation of all worker tools.

Server logs show a rejected request immediately followed by a successful forged request, confirming the bypass.

Impact

This is an authentication bypass that results in full remote access to all MCP worker endpoints:

Unauthenticated attackers can enumerate tools

Invoke arbitrary tools remotely

Access any data returned by tools (including secrets loaded into ToolContext)

Execute actions inside internal systems if tools expose operational capabilities

Perform these actions without any brute forcing or guesswork due to the known default signing key

Any user who follows the official setup guide is exposed unless they manually override ARCADE_WORKER_SECRET, which is not documented.

This vulnerability effectively gives complete remote control over the MCP worker API to any attacker aware of the default key.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66454

CVE-2025-66454:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66454

GHSA ID

GHSA-g2jx-37x6-6438

EPSS Score

CWE

CWE-284

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
arcade-mcp-server	pip	< 1.9.1	1.9.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is caused by a hardcoded default worker secret, "dev", in the arcade-mcp-server. This allows an attacker to bypass authentication for all MCP worker endpoints by forging a JWT signed with this known secret.

The analysis of the provided patches confirms this. The main patch, in commit 44660d18ceb220600401303df860a31ca766c817, addresses the issue in two key places:

libs/arcade-mcp-server/arcade_mcp_server/settings.py: The ArcadeSettings class, which defines application settings, is modified to remove the default value of "dev" for the server_secret field. This field now defaults to None, requiring an explicit secret to be provided.
libs/arcade-mcp-server/arcade_mcp_server/worker.py: The create_arcade_mcp function, which sets up the server, is changed to no longer fall back to the "dev" secret. Furthermore, it now only initializes and enables the FastAPIWorker (which exposes the sensitive endpoints) if a secret is explicitly provided. This prevents the server from starting in a vulnerable state by default.

Therefore, the function arcade_mcp_server.worker.create_arcade_mcp is identified as the key vulnerable function. It was the component that consumed the insecure default setting and used it to configure the worker's authentication mechanism. While the exploit occurs on the worker API endpoints (e.g., /worker/tools), this function is the one responsible for creating the vulnerable condition during server startup.

Vulnerable functions

arcade_mcp_server.worker.create_arcade_mcp

libs/arcade-mcp-server/arcade_mcp_server/worker.py

This function is responsible for creating and configuring the FastAPI application. Prior to the patch, if the `ARCADE_WORKER_SECRET` was not set, this function would default to using the hardcoded secret "dev". It would then use this insecure secret to initialize the `FastAPIWorker`, which handles authenticated endpoints. This allowed any attacker with knowledge of the default secret to forge a valid JWT and gain unauthorized access to all worker API endpoints.

arcade_mcp_server.settings.ArcadeSettings

libs/arcade-mcp-server/arcade_mcp_server/settings.py

While this is a settings class and not a function, it is the root cause of the vulnerability. The `server_secret` field had a default value of "dev". This insecure default was then used by the `create_arcade_mcp` function to configure the worker's authentication, leading to a complete authentication bypass. The function `create_arcade_mcp` would be in the stack trace during server initialization, but the effect of this vulnerability is felt at the worker endpoints during an exploit.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66454: arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary

Details

PoC

Impact

CVE-2025-66454:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-66454: arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary

Details

PoC

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI