SCA: security update for @modelcontextprotocol/inspector (GHSA-7f8r-222p-6f5g)

critical Tenable Cloud Security Plugin ID 427869

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector
below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector
client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should
immediately upgrade to version 0.14.1 or later to address these vulnerabilities. (CVE-2025-49596)

See Also

https://github.com/advisories/GHSA-7f8r-222p-6f5g

Plugin Details

Severity: Critical

ID: 427869

Version: Revision 1.16

Type: Local

Family: SCA Checks

Published: 6/14/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.08

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-49596

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 8.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/13/2025

Vulnerability Publication Date: 6/13/2025

Reference Information

CVE: CVE-2025-49596

cwe: CWE-306