{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64340", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-30T17:40:52.030Z", "datePublished": "2026-04-03T15:16:13.930Z", "dateUpdated": "2026-04-03T16:12:58.401Z"}, "containers": {"cna": {"title": "FastMCP has a Command Injection vulnerability - Gemini CLI", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g"}, {"name": "https://github.com/PrefectHQ/fastmcp/pull/3522", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrefectHQ/fastmcp/pull/3522"}], "affected": [{"vendor": "jlowin", "product": "fastmcp", "versions": [{"version": "< 3.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:16:13.930Z"}, "descriptions": [{"lang": "en", "value": "FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0."}], "source": {"advisory": "GHSA-m8x7-r2rg-vh5g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:11:50.768330Z", "id": "CVE-2025-64340", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:12:58.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64340", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T16:11:50.768330Z"}}}], "references": [{"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:12:01.061Z"}}], "cna": {"title": "FastMCP has a Command Injection vulnerability - Gemini CLI", "source": {"advisory": "GHSA-m8x7-r2rg-vh5g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jlowin", "product": "fastmcp", "versions": [{"status": "affected", "version": "< 3.2.0"}]}], "references": [{"url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "name": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrefectHQ/fastmcp/pull/3522", "name": "https://github.com/PrefectHQ/fastmcp/pull/3522", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T15:16:13.930Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64340", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:12:58.401Z", "dateReserved": "2025-10-30T17:40:52.030Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T15:16:13.930Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0."}], "id": "CVE-2025-64340", "lastModified": "2026-04-03T16:16:23.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T16:16:23.010", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/PrefectHQ/fastmcp/pull/3522"}, {"source": "security-advisories@github.com", "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fastmcp", "source": "cna", "vendor": "jlowin"}, "product": "fastmcp", "vendor": "jlowin"}], "analysis": {"en": {"generated_at": "2026-04-03T18:21:07.746551+00:00", "value": {"mitigation_remediation": ["Upgrade FastMCP to version 3.2.0 or later.", "If an upgrade is not immediately possible, ensure that any server names used in install commands contain no shell metacharacters and are properly sanitized before passing to FastMCP.", "Restrict the ability to modify server names to trusted administrators only.", "Monitor system logs for unexpected execution of install commands or unusual shell activity.", "Apply general best practices for input validation and least privilege for processes that invoke command\u2011line tools."], "summary": {"action": "Immediate Patch", "impact": "Command Injection enabling arbitrary command execution on Windows servers"}, "threat_synthesis": {"affected_systems": "FastMCP, a framework maintained by jlowin, is affected in all releases prior to version 3.2.0. Servers running FastMCP that use the \"fastmcp install claude-code\" or \"fastmcp install gemini-cli\" commands with server names containing shell metacharacters are vulnerable. The vulnerability is limited to Windows platforms where the .cmd wrapper is used.", "description_and_impact": "The FastMCP framework processes server names as parameters when installing command\u2010line interfaces. On Windows the install commands invoke subprocess.run() with a list argument, but the target CLI resolves to a .cmd wrapper that is executed by cmd.exe. When a server name contains shell metacharacters such as &, the flattened command string is interpreted by cmd.exe, allowing injected commands to be executed. This constitutes a CWE\u201178 command\u2011injection vulnerability that can lead to arbitrary program execution on the host running FastMCP.", "risk_and_exploitability": "The vulnerability carries a CVSS v3 score of 6.7, indicating moderate severity. The EPSS metric is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not have known public exploits yet. An attacker would need the ability to supply or influence the server name used in the install command, which is typically a local configuration responsibility. If such control can be obtained, injected commands would run with the privileges of the FastMCP process, potentially elevating to full system compromise. The attack vector is local Windows command execution stemming from improper sanitization of input parameters."}}}}, "created": "2026-04-03T21:13:09.485346+00:00", "updated": "2026-04-03T21:15:21.624540+00:00", "vendors": ["jlowin", "jlowin$PRODUCT$fastmcp"]}