CVE-2025-64340

MediumPublic PoC

Published: 03 April 2026

Published

03 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64340 is a medium-severity OS Command Injection (CWE-78) vulnerability in Jlowin Fastmcp. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Windows Command Shell (T1059.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of server name inputs to block shell metacharacters that enable command injection in subprocess.run() calls on Windows.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the FastMCP command injection flaw to version 3.2.0.

SI-9 Information Input Restrictions partial match

prevent

Restricts server name inputs to safe character sets, preventing the use of shell metacharacters that trigger cmd.exe interpretation.

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

Direct OS command injection via crafted server name passed to subprocess on Windows, resulting in cmd.exe interpretation and arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use…

subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.

Deeper analysisAI

CVE-2025-64340 is a command injection vulnerability (CWE-78) in FastMCP, the standard framework for building MCP applications, affecting versions prior to 3.2.0. The flaw occurs on Windows when server names containing shell metacharacters, such as &, are passed to the fastmcp install claude-code or fastmcp install gemini-cli commands. These commands invoke subprocess.run() with a list argument, but the target CLIs often resolve to .cmd wrappers executed through cmd.exe, which interprets metacharacters in the resulting flattened command string.

Exploitation requires local access, high attack complexity, low privileges, and user interaction, as indicated by the CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). A low-privileged local attacker could trick a user into running one of the vulnerable install commands with a specially crafted server name containing shell metacharacters, enabling arbitrary command execution on the target Windows system with high impacts to confidentiality, integrity, and availability.

The vulnerability has been addressed in FastMCP version 3.2.0. Security advisories and the patching pull request provide further details on the fix, available at https://github.com/PrefectHQ/fastmcp/pull/3522 and https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g.