Platform
python
Component
fastmcp
Fixed in
3.2.1
3.2.0
CVE-2025-64340 describes a Command Injection vulnerability discovered in fastmcp, a Python-based tool for managing and deploying command-line applications. An attacker can exploit this flaw by crafting malicious server names containing shell metacharacters, leading to arbitrary command execution on Windows systems during the installation process. This vulnerability affects versions of fastmcp up to and including 3.1.1, and a fix is available in version 3.2.0.
The vulnerability arises because fastmcp install claude-code and fastmcp install gemini-cli use subprocess.run() with a list argument, but on Windows, the target CLIs often resolve to .cmd wrappers executed through cmd.exe. This allows shell metacharacters in the server name to be interpreted, enabling an attacker to inject arbitrary commands. Successful exploitation could allow an attacker to execute malicious code with the privileges of the user running the fastmcp tool, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. The impact is particularly concerning in environments where fastmcp is used to deploy sensitive applications or manage critical infrastructure.
Public proof-of-concept code demonstrating the vulnerability has been released, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation. The vulnerability was publicly disclosed on 2026-03-31.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to fastmcp version 3.2.0 or later, which addresses the vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to sanitize server names before they are passed to the installation process. Specifically, the WAF should strip or escape shell metacharacters (e.g., &, ;, |, >, <) from the server name. Additionally, review existing fastmcp configurations to identify any instances where untrusted input is used in the server name. After upgrading, confirm the fix by attempting an installation with a server name containing shell metacharacters and verifying that the command is not executed.
Update FastMCP to version 3.2.0 or higher. This corrects the command injection vulnerability. You can update using the pip package manager: `pip install --upgrade fastmcp`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64340 is a Command Injection vulnerability affecting fastmcp versions up to 3.1.1. It allows attackers to execute arbitrary commands on Windows systems during the installation process by crafting malicious server names.
You are affected if you are using fastmcp version 3.1.1 or earlier. Check your installed version and upgrade accordingly.
Upgrade to fastmcp version 3.2.0 or later. As a temporary workaround, implement WAF rules to sanitize server names before installation.
Public proof-of-concept code is available, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the fastmcp project's official channels (e.g., GitHub repository, mailing list) for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.