RCE in Jlowin Fastmcp

CVE-2025-62801

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (15.7th percentile) — read the EPSS interpretation.