Listen to this Post
The vulnerability arises from how `fastmcp install` handles server names containing shell metacharacters (such as &) on Windows. When a user creates a FastMCP server with a malicious name like `test&calc` and then runs `fastmcp install claude-code server.py` or fastmcp install gemini-cli server.py, the server name is passed to the installation process. Internally, `fastmcp` uses `subprocess.run()` with a list argument to execute the target CLI (claude or gemini). On Windows, these CLIs are often installed as `.cmd` wrapper files. When a `.cmd` file is executed via `subprocess.run()` with a list, the underlying Windows API `CreateProcess` invokes `cmd.exe` to handle the file. This results in the command-line arguments being flattened into a single string that is then processed by cmd.exe. Due to this behavior, shell metacharacters within the server name—such as &—are not escaped and are interpreted as command separators by cmd.exe. This allows an attacker to inject arbitrary commands that execute with the privileges of the user running the `fastmcp install` command. The proof of concept demonstrates that a server named `test&calc` will launch the Windows Calculator application when the installation command is run. The issue does not affect macOS or Linux systems, nor does it impact installations targeting configuration-file-based tools like cursor, goose, or mcp-json. The vulnerability was patched by implementing validation that rejects server names containing shell metacharacters.
dailycve form:
Platform: fastmcp on Windows
Version: before 3522 patch
Vulnerability : Command Injection via
Severity: Critical
date: 2024 (Patched)
Prediction: Already Patched (Apr 2024)
What Undercode Say:
Analytics:
The vulnerability stems from improper input sanitization combined with Windows-specific command execution behavior.
Test for vulnerability (Windows only) python -c "from fastmcp import FastMCP; mcp = FastMCP(name='test&calc')" fastmcp install claude-code server.py
Exploit:
PoC: Malicious server name from fastmcp import FastMCP import random mcp = FastMCP(name="test&calc") @mcp.tool def roll_dice(n_dice: int) -> list[bash]: return [random.randint(1, 6) for _ in range(n_dice)] Running 'fastmcp install claude-code server.py' on Windows triggers calc.exe
Protection from this CVE:
Patched validation logic example
import re
if re.search(r'[;&|`$()]', server_name):
raise ValueError("Server name contains invalid characters")
Impact:
Arbitrary command execution with user privileges on Windows systems when using claude-code or gemini-cli install targets.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

