Cyber Resilience

CVE-2025-64340

MediumPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64340 is a medium-severity OS Command Injection (CWE-78) vulnerability in Jlowin Fastmcp. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-64340 is a command injection vulnerability (CWE-78) in FastMCP, the standard framework for building MCP applications, affecting versions prior to 3.2.0. The flaw occurs on Windows when server names containing shell metacharacters, such as &, are passed to the fastmcp install claude-code or fastmcp install gemini-cli commands. These commands invoke subprocess.run() with a list argument, but the target CLIs often resolve to .cmd wrappers executed through cmd.exe, which interprets metacharacters in the resulting flattened command string.

Exploitation requires local access, high attack complexity, low privileges, and user interaction, as indicated by the CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). A low-privileged local attacker could trick a user into running one of the vulnerable install commands with a specially crafted server name containing shell metacharacters, enabling arbitrary command execution on the target Windows system with high impacts to confidentiality, integrity, and availability.

The vulnerability has been addressed in FastMCP version 3.2.0. Security advisories and the patching pull request provide further details on the fix, available at https://github.com/PrefectHQ/fastmcp/pull/3522 and https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-m8x7-r2rg-vh5g.

EU & UK References

Vulnerability details

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use…

more

subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude, gemini, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Direct OS command injection via crafted server name passed to subprocess on Windows, resulting in cmd.exe interpretation and arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32871Same product: Jlowin Fastmcp
CVE-2026-22035Shared CWE-78
CVE-2026-32000Shared CWE-78
CVE-2026-28391Shared CWE-78
CVE-2026-30302Shared CWE-78
CVE-2026-31975Shared CWE-78
CVE-2025-11953Shared CWE-78
CVE-2026-7461Shared CWE-78
CVE-2026-31862Shared CWE-78
CVE-2026-31999Shared CWE-78

Affected Assets

jlowin
fastmcp
≤ 3.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of server name inputs to block shell metacharacters that enable command injection in subprocess.run() calls on Windows.

prevent

Requires timely identification, reporting, and patching of the FastMCP command injection flaw to version 3.2.0.

prevent

Restricts server name inputs to safe character sets, preventing the use of shell metacharacters that trigger cmd.exe interpretation.

References