{"id":"CVE-2025-58444","summary":"MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server","details":"The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. This could be leveraged to interact directly with the inspector proxy to trigger arbitrary command execution. Users are advised to update to 0.16.6 to resolve this issue.","aliases":["GHSA-g9hg-qhmf-q45m"],"modified":"2026-04-02T12:56:07.143218Z","published":"2025-09-08T21:24:58.821Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58444.json","cwe_ids":["CWE-84"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58444.json"},{"type":"ADVISORY","url":"https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-g9hg-qhmf-q45m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58444"},{"type":"FIX","url":"https://github.com/modelcontextprotocol/inspector/commit/650f3090d26344a672026b737d81586595bb1f60"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/modelcontextprotocol/inspector","events":[{"introduced":"0"},{"fixed":"377211061b51315e0d1a5da585447290173de880"}]}],"versions":["0.0.1","0.1.0","0.10.2","0.11.0","0.11.0-amended","0.12.0","0.13.0","0.14.0","0.14.1","0.14.2","0.14.3","0.15.0","0.16.0","0.16.1","0.16.2","0.16.3","0.16.4","0.16.5","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.3.0","0.4.0","0.4.1","0.5.1","0.6.0","0.7.0","0.8.0","0.8.1","0.8.1-hotfix","0.8.2","0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58444.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}