CVE-2025-58444 Overview
CVE-2025-58444 is a cross-site scripting (XSS) vulnerability in the Model Context Protocol (MCP) Inspector, a developer tool used for testing and debugging MCP servers. The flaw exists in versions prior to 0.16.6 and is triggered when the inspector connects to an untrusted remote MCP server that supplies a malicious OAuth redirect URI. An attacker can leverage the XSS to interact directly with the inspector proxy and trigger arbitrary command execution on the developer's local machine. The issue is tracked under CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page.
Critical Impact
A malicious MCP server can chain XSS in the Inspector UI to arbitrary command execution on the developer host through the local inspector proxy.
Affected Products
- MCP Inspector versions prior to 0.16.6
- Developer workstations running the local MCP Inspector tool
- Environments connecting the Inspector to untrusted remote MCP servers
Discovery Timeline
- 2025-09-08 - CVE-2025-58444 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-58444
Vulnerability Analysis
The MCP Inspector implements an OAuth authorization flow to connect to remote MCP servers. The client-side OAuth components, including AuthDebugger.tsx and OAuthFlowProgress.tsx, accepted redirect URIs returned by remote servers without validating the URL scheme or contents. A remote server controlled by an attacker can return a javascript: URI or other crafted redirect target, which the Inspector renders or follows in the local browser context.
Because the Inspector runs a local proxy used to forward debugging requests to backend processes, script execution inside the Inspector page can issue authenticated requests to that proxy. This bridge from rendered script to local proxy enables arbitrary command execution on the developer host.
Root Cause
The root cause is missing validation on OAuth redirect URLs handled by the Inspector client. The patched code introduces a validateRedirectUrl helper imported from @/utils/urlValidation, which constrains accepted redirect targets to safe URL schemes before they are stored or rendered.
Attack Vector
The attack requires user interaction: a developer connects the Inspector to an attacker-controlled MCP server. The malicious server returns a crafted redirect URI during OAuth negotiation. The Inspector processes the URI, executes attacker-supplied script in the Inspector origin, and the script issues commands to the local inspector proxy to execute arbitrary processes.
// Patch excerpt: client/src/components/AuthDebugger.tsx
import { OAuthFlowProgress } from "./OAuthFlowProgress";
import { OAuthStateMachine } from "../lib/oauth-state-machine";
import { SESSION_KEYS } from "../lib/constants";
+import { validateRedirectUrl } from "@/utils/urlValidation";
export interface AuthDebuggerProps {
serverUrl: string;
// Patch excerpt: client/src/components/OAuthFlowProgress.tsx
import { DebugInspectorOAuthClientProvider } from "@/lib/auth";
import { useEffect, useMemo, useState } from "react";
import { OAuthClientInformation } from "@modelcontextprotocol/sdk/shared/auth.js";
+import { validateRedirectUrl } from "@/utils/urlValidation";
+import { useToast } from "@/lib/hooks/useToast";
Source: GitHub commit 650f3090. The patch introduces redirect URL validation in both OAuth components to reject untrusted schemes such as javascript: and prevent script injection through the OAuth flow.
Detection Methods for CVE-2025-58444
Indicators of Compromise
- Unexpected child processes spawned by Node.js or Inspector proxy processes on developer workstations.
- Outbound connections from a developer host to unknown MCP server endpoints followed by local process creation.
- Inspector log entries containing OAuth redirect URIs with non-http(s) schemes such as javascript: or data:.
Detection Strategies
- Inventory installed versions of @modelcontextprotocol/inspector across developer machines and flag any version below 0.16.6.
- Monitor for the Inspector proxy process executing shell or interpreter commands that do not originate from local developer activity.
- Inspect HTTP traffic from the Inspector for OAuth callback responses containing suspicious redirect_uri values.
Monitoring Recommendations
- Enable process-tree telemetry on developer endpoints to correlate browser or Electron parent processes with spawned commands.
- Alert on first-time outbound connections from developer hosts to MCP server domains not on an approved list.
- Review the GitHub Security Advisory GHSA-g9hg-qhmf-q45m for additional indicators.
How to Mitigate CVE-2025-58444
Immediate Actions Required
- Upgrade MCP Inspector to version 0.16.6 or later on all developer workstations.
- Disconnect the Inspector from any untrusted or unverified remote MCP servers until the upgrade is complete.
- Audit recent Inspector sessions for connections to unknown MCP server URLs and investigate resulting process activity.
Patch Information
The fix is published in MCP Inspector 0.16.6 via commit 650f3090d26344a672026b737d81586595bb1f60. The patch adds the validateRedirectUrl utility and applies it to OAuth redirect handling in AuthDebugger.tsx and OAuthFlowProgress.tsx. Refer to the GitHub Security Advisory GHSA-g9hg-qhmf-q45m for the official fix notice.
Workarounds
- Restrict Inspector usage to local or fully trusted MCP servers until upgraded to 0.16.6.
- Run the Inspector inside an isolated virtual machine or container to limit the blast radius of command execution.
- Block outbound network access from the Inspector to unapproved MCP server hosts using a host firewall allowlist.
# Upgrade the MCP Inspector to the patched release
npm install -g @modelcontextprotocol/inspector@0.16.6
# Verify the installed version
npx @modelcontextprotocol/inspector --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

