SCA: security update for fastmcp (GHSA-m8x7-r2rg-vh5g)

high Tenable Cloud Security Plugin ID 439568

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names
containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp
install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list
argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe,
which interprets metacharacters in the flattened command string. This issue has been patched in version
3.2.0. (CVE-2025-64340)

Solution

Update the fastmcp library and its related packages to version 3.2.0 or later.

See Also

https://github.com/advisories/GHSA-m8x7-r2rg-vh5g

Plugin Details

Severity: High

ID: 439568

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 4/1/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-64340

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/31/2026

Vulnerability Publication Date: 3/31/2026

Reference Information

CVE: CVE-2025-64340

cwe: CWE-78