CVE-2025-66454 Overview
CVE-2025-66454 is an authentication bypass vulnerability in Arcade MCP, a framework used to create, deploy, and share Model Context Protocol (MCP) servers. Versions prior to 1.5.4 ship the arcade-mcp HTTP server with a hardcoded default worker secret of "dev". The server never validates or requires an override during normal startup. An unauthenticated remote attacker who knows this static key can forge valid JSON Web Tokens (JWTs) and bypass the FastAPI authentication layer. Successful exploitation grants remote access to worker endpoints, including tool enumeration and tool invocation. The issue is tracked as [CWE-321: Use of Hard-coded Cryptographic Key] and is fixed in version 1.5.4.
Critical Impact
Unauthenticated attackers can forge JWTs using the known default secret and invoke any worker tool exposed by the arcade-mcp HTTP server.
Affected Products
- Arcade MCP (arcade-mcp) versions prior to 1.5.4
- arcade-mcp-server component (arcade_mcp_server.settings)
- arcade-cli deployment component (arcade_cli.deploy)
Discovery Timeline
- 2025-12-02 - CVE-2025-66454 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66454
Vulnerability Analysis
The arcade-mcp HTTP server uses JWTs to authenticate requests to worker endpoints. The signing key for these tokens is read from the ARCADE_WORKER_SECRET environment variable, which is exposed through the server_secret field in arcade_mcp_server/settings.py. In vulnerable releases, this field defaults to the literal string "dev" and is not required to be overridden at startup.
Because the secret is both static and shipped in the public source tree, any attacker can independently generate a signed JWT that the server will accept as valid. The FastAPI authentication dependency treats the forged token as authenticated, and the request proceeds to worker route handlers. Those handlers expose tool discovery and tool invocation, which allows the attacker to enumerate available MCP tools and execute them.
Root Cause
The root cause is a hardcoded cryptographic key used for token verification. The server_secret Pydantic field in settings.py defaulted to "dev", and no startup validation enforced a non-default value before worker routes were mounted. Any deployment that omitted the ARCADE_WORKER_SECRET environment variable inherited an attacker-known key.
Attack Vector
The attack is network-based and requires no user interaction or prior credentials. An attacker locates an exposed arcade-mcp HTTP server, crafts a JWT signed with "dev" using the algorithm the server expects, and sends it in the Authorization header to any worker endpoint. The server verifies the signature against the same static key and grants access.
# Patch: libs/arcade-mcp-server/arcade_mcp_server/settings.py
description="Disable authentication",
)
server_secret: str | None = Field(
- default="dev",
- description="Server secret",
+ default=None,
+ description="Server secret for worker endpoints (required to enable worker routes)",
validation_alias="ARCADE_WORKER_SECRET",
)
environment: str = Field(
# Source: https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817
The patch removes the "dev" default and makes server_secret optional with None. Worker routes are only mounted when a secret has been explicitly configured, which eliminates the attacker-known signing key.
Detection Methods for CVE-2025-66454
Indicators of Compromise
- Successful HTTP 200 responses to /worker/* endpoints on arcade-mcp deployments that were not configured with a custom ARCADE_WORKER_SECRET.
- JWT tokens presented in Authorization: Bearer headers whose signature verifies against the key "dev".
- Unexpected tool enumeration requests or tool invocations originating from external IP addresses.
Detection Strategies
- Inventory all arcade-mcp installations and confirm the installed version. Any version below 1.5.4 is vulnerable.
- Inspect process environment variables for missing or default ARCADE_WORKER_SECRET values on hosts running the arcade-mcp HTTP server.
- Review web server and reverse proxy logs for requests to worker routes that lack a corresponding legitimate client or session context.
Monitoring Recommendations
- Alert on inbound requests to arcade-mcp worker endpoints from outside expected client networks.
- Log JWT iat and exp claims for worker traffic and flag tokens issued outside the normal token-issuance workflow.
- Track process startup events for arcade-mcp services and record whether ARCADE_WORKER_SECRET is set to a non-default value.
How to Mitigate CVE-2025-66454
Immediate Actions Required
- Upgrade arcade-mcp to version 1.5.4 or later on all hosts.
- Rotate any JWTs or session tokens issued by vulnerable deployments and revoke cached credentials.
- Set ARCADE_WORKER_SECRET to a high-entropy random value on every deployment and confirm it is not the literal "dev".
- Restrict network exposure of arcade-mcp HTTP servers so they are not reachable from untrusted networks.
Patch Information
The fix is delivered in Arcade MCP 1.5.4. The upstream commit removes the hardcoded default and gates worker routes on the presence of a configured secret. See the GitHub Security Advisory GHSA-g2jx-37x6-6438, the GitHub Pull Request #691, and the GitHub Commit Update for implementation details.
Workarounds
- Explicitly set ARCADE_WORKER_SECRET to a strong, unique value in the service environment before starting the server.
- Place the arcade-mcp HTTP server behind an authenticated reverse proxy or private network segment until the upgrade is applied.
- Disable worker endpoints on deployments that do not require them by removing route registration in the local configuration.
# Configuration example: set a strong worker secret before starting arcade-mcp
export ARCADE_WORKER_SECRET="$(python -c 'import secrets; print(secrets.token_urlsafe(48))')"
export ARCADE_SERVER_PORT=8000
export ARCADE_SERVER_TRANSPORT="http"
# Verify the secret is not the vulnerable default
if [ "$ARCADE_WORKER_SECRET" = "dev" ] || [ -z "$ARCADE_WORKER_SECRET" ]; then
echo "ERROR: ARCADE_WORKER_SECRET is unset or uses the vulnerable default" >&2
exit 1
fi
# Start the server
python -m arcade_mcp_server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

