- The Anthrope MCP inspector project had a defect that allowed criminals to steal confidential data, release malware
- To abuse him, computer pirates must chain it with a decades browser error
- The fault was solved in mid -June 2025, but users must still be on guard
The Inspector of the Inspector of the Anthropic Model Context (MCP) entailed a critical severity vulnerability that could have allowed the threat actors to assemble remote code execution attacks (RCE) against host devices, experts warned.
Better known for its Claude conversational model, Anthrope developed MCP, an open source standard that facilitates safe and bidirectional communication between AI systems and external data sources. He also built Inspector, a separate open source tool that allows developers to test and purify MCP servers.
Now, it was reported that a failure in the inspector could have been used to steal confidential data, release malware and move laterally through the destination networks.
Patching the fault
Apparently, this is the first critical level vulnerability in the MCP ecosystem of Anthrope, and one that opens a new class of attacks.
The defect is tracked as CVE-2025-49596, and has a gravity score of 9.4/10, critic.
“This is one of the first critics in the MCP ecosystem of Anthrope, exposing a new class of browser -based attacks against AI developer tools,” said Oligo Security’s Avi Lumelsky.
“With the execution of the code on the developer’s machine, the attackers can steal data, install rear doors and move laterally through the networks, which highlights the serious risks for AI equipment, open source projects and business adopters that depend on MCP.”
To abuse this defect, attackers need to chain it with “0.0.0.0. Day”, a vulnerability of two decades in web browsers that allow malicious websites to violate local networks, The hacker news He explains, citing Lumelsky.
When creating a malicious website and then sending a request to the local hosts that are executed on an MCP server, the attackers could execute arbitrary commands on the machine of a developer.
Anthrope was notified about the defect in April of this year, and returned with a patch on June 13, taking the tool to version 0.14.1. Now, a session token to the proxy server is added, as well as to the validation of origin, which makes the attacks discuss.
