fastmcp, Command Injection, CVE-2024-3522 (Critical)

Listen to this Post

The vulnerability arises from how `fastmcp install` handles server names containing shell metacharacters (such as &) on Windows. When a user creates a FastMCP server with a malicious name like `test&calc` and then runs `fastmcp install claude-code server.py` or fastmcp install gemini-cli server.py, the server name is passed to the installation process. Internally, `fastmcp` uses `subprocess.run()` with a list argument to execute the target CLI (claude or gemini). On Windows, these CLIs are often installed as `.cmd` wrapper files. When a `.cmd` file is executed via `subprocess.run()` with a list, the underlying Windows API `CreateProcess` invokes `cmd.exe` to handle the file. This results in the command-line arguments being flattened into a single string that is then processed by cmd.exe. Due to this behavior, shell metacharacters within the server name—such as &—are not escaped and are interpreted as command separators by cmd.exe. This allows an attacker to inject arbitrary commands that execute with the privileges of the user running the `fastmcp install` command. The proof of concept demonstrates that a server named `test&calc` will launch the Windows Calculator application when the installation command is run. The issue does not affect macOS or Linux systems, nor does it impact installations targeting configuration-file-based tools like cursor, goose, or mcp-json. The vulnerability was patched by implementing validation that rejects server names containing shell metacharacters.

dailycve form:

Platform: fastmcp on Windows
Version: before 3522 patch
Vulnerability : Command Injection via
Severity: Critical
date: 2024 (Patched)

Prediction: Already Patched (Apr 2024)

What Undercode Say:

Analytics:

The vulnerability stems from improper input sanitization combined with Windows-specific command execution behavior.

Test for vulnerability (Windows only)
python -c "from fastmcp import FastMCP; mcp = FastMCP(name='test&calc')"
fastmcp install claude-code server.py

Exploit:

PoC: Malicious server name
from fastmcp import FastMCP
import random
mcp = FastMCP(name="test&calc")
@mcp.tool
def roll_dice(n_dice: int) -> list[bash]:
return [random.randint(1, 6) for _ in range(n_dice)]
Running 'fastmcp install claude-code server.py' on Windows triggers calc.exe

Protection from this CVE:

Patched validation logic example
import re
if re.search(r'[;&|`$()]', server_name):
raise ValueError("Server name contains invalid characters")

Impact:

Arbitrary command execution with user privileges on Windows systems when using claude-code or gemini-cli install targets.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top