CVE-2025-62801 MEDIUM

CVE-2025-62801: FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

Vendor Jlowin

Product fastmcp

Weakness CWE-78

Published October 28, 2025

Last update October 29, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fixed in 2.13.0.

Key dates

02Disclosure timeline

October 28, 2025 CVE published

October 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62801

Related vulnerabilities

CVE-2025-62801: FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

01Description

02Disclosure timeline

03References

04Related CVE