CVE-2025-64340 Overview
CVE-2025-64340 is a command injection vulnerability in FastMCP, the standard framework for building MCP (Model Context Protocol) applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string.
Critical Impact
Attackers can execute arbitrary commands on Windows systems by crafting malicious server names with shell metacharacters, potentially leading to complete system compromise with user-level privileges.
Affected Products
- FastMCP versions prior to 3.2.0
- Windows systems using fastmcp install claude-code
- Windows systems using fastmcp install gemini-cli
Discovery Timeline
- 2026-04-03 - CVE CVE-2025-64340 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2025-64340
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in how FastMCP handles server name parameters during the installation process for AI assistant integrations.
When a user invokes the fastmcp install command with either claude-code or gemini-cli targets, the framework passes server names to the underlying subprocess without adequate sanitization. While the code uses subprocess.run() with a list argument—which would normally prevent shell injection on Unix-like systems—Windows presents a unique challenge. On Windows, CLI tools like claude-code and gemini-cli are often distributed as .cmd batch file wrappers.
When Python's subprocess module invokes a .cmd file on Windows, it automatically routes the execution through cmd.exe. This shell interpreter then flattens the command list into a single string, at which point shell metacharacters like &, |, >, and ; regain their special meaning and can be used to chain arbitrary commands.
Root Cause
The root cause lies in the Windows-specific behavior of executing .cmd wrapper scripts. Although subprocess.run() with list arguments typically provides protection against command injection by avoiding shell interpretation, Windows .cmd files are inherently processed by cmd.exe. This causes the argument list to be concatenated into a command string where metacharacters are interpreted. The FastMCP framework did not implement adequate input validation or escaping for server names before passing them to these subprocess calls.
Attack Vector
The attack requires local access and user interaction, as an attacker must convince a user to run the fastmcp install command with a malicious server name. An attacker could provide a crafted server name through various vectors such as:
- Malicious MCP server configurations shared via documentation or tutorials
- Social engineering attacks directing users to install compromised server definitions
- Compromised package repositories containing malicious server configurations
When a user executes a command like fastmcp install claude-code "innocent_name & malicious_command", the metacharacter & causes cmd.exe to interpret everything after it as a separate command to execute, resulting in arbitrary command execution with the privileges of the running user.
Detection Methods for CVE-2025-64340
Indicators of Compromise
- Unusual process spawning from Python processes running FastMCP on Windows systems
- Command line arguments containing shell metacharacters (&, |, >, <, ;, ^) in server name parameters
- Unexpected child processes of cmd.exe spawned from FastMCP installation workflows
- Suspicious file modifications or network connections following fastmcp install executions
Detection Strategies
- Monitor process creation events for cmd.exe spawned as a child of Python processes executing FastMCP
- Implement command-line logging to capture and analyze arguments passed to fastmcp install commands
- Deploy endpoint detection rules to flag shell metacharacters in MCP server name configurations
- Review audit logs for abnormal execution patterns during FastMCP installation workflows
Monitoring Recommendations
- Enable Windows command-line process auditing (Event ID 4688) to capture full command lines
- Configure SIEM alerts for suspicious command patterns following FastMCP process execution
- Implement file integrity monitoring on systems where FastMCP is actively used
- Monitor for unexpected outbound network connections originating from FastMCP-related processes
How to Mitigate CVE-2025-64340
Immediate Actions Required
- Upgrade FastMCP to version 3.2.0 or later immediately
- Audit all server name configurations for potentially malicious metacharacters before upgrading
- Review system logs for any suspicious activity following recent fastmcp install executions
- Restrict execution of fastmcp install commands to trusted administrators until patching is complete
Patch Information
The vulnerability has been patched in FastMCP version 3.2.0. The fix is available through the GitHub Pull Request 3522. Users should upgrade to version 3.2.0 or later to remediate this vulnerability. For detailed information about the security issue, refer to the GitHub Security Advisory GHSA-m8x7-r2rg-vh5g.
Workarounds
- Manually validate all server names to ensure they do not contain shell metacharacters (&, |, >, <, ;, ^, (, )) before passing them to installation commands
- Run FastMCP installation commands in isolated environments with minimal privileges
- Use application allowlisting to restrict which commands can be executed by the FastMCP process
- Consider temporarily disabling automated MCP server installations until the patch can be applied
# Upgrade FastMCP to patched version
pip install --upgrade fastmcp>=3.2.0
# Verify installed version
pip show fastmcp | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
