CVE-2025-11287
Published: 05 October 2025
Summary
CVE-2025-11287 is a high-severity Improper Authentication (CWE-287) vulnerability in Mcphubx Mcphub. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Not Applicable risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly mitigates improper authentication by explicitly defining and restricting permitted actions without identification or authentication, preventing exploitation of the handleSseConnection function.
IA-8 requires identification and authentication for non-organizational users, countering the unauthenticated remote access vulnerability in the SSE service.
AC-3 enforces approved authorizations for logical access to system resources, blocking unauthorized connections via the flawed authentication mechanism.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper authentication vulnerability (CWE-287) in the SSE service allows remote, unauthenticated attackers to forge any user's identity and gain unauthorized access to operate MCPHub, enabling exploitation of a public-facing application.
NVD Description
A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnectionfunction of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and might be…
more
used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-11287 is an improper authentication vulnerability (CWE-287) in samanhappy MCPHub versions up to 0.9.10. It affects the handleSseConnection function in the file src/services/sseService.ts. The issue has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-10-05.
The vulnerability enables remote exploitation by unauthenticated attackers with low complexity and no user interaction required. Successful attacks can result in low impacts to confidentiality, integrity, and availability.
Advisories from VulDB and related GitHub issues indicate that a public exploit is available and might be used in attacks. The vendor was contacted early for disclosure but provided no response, and no patches or specific mitigations are detailed in the references.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Not Applicable
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The CVE description details an improper authentication vulnerability (CWE-287) in a TypeScript SSE service handler (sseService.ts) of MCPHub, a general software product. No keywords, references, or context indicate involvement of AI/ML technologies, deep learning, NLP, computer vision, models, agents, or related components. SSE is a common web technology not specific to AI.