{"data":{"id":"3c5c5cda-8260-42bb-a73e-0922c8d5afb9","title":"CVE-2025-64340: FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell m","summary":"FastMCP (a framework for building MCP applications, which are tools that extend AI assistants) has a command injection vulnerability (a security flaw where an attacker can run unauthorized commands) in versions before 3.2.0 on Windows. When server names contain shell metacharacters like '&', they can be misinterpreted by the Windows command interpreter and allow attackers to execute malicious commands during installation.","solution":"Update FastMCP to version 3.2.0 or later, where this issue has been patched.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-64340","publishedAt":"2026-04-03T16:16:23.010Z","cveId":"CVE-2025-64340","cweIds":["CWE-78"],"cvssScore":"6.7","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["OpenAI","Google"],"affectedVendorsRaw":["FastMCP","Claude","Gemini"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","attackVector":"local","attackComplexity":"high","privilegesRequired":"low","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-03T16:16:23.010Z","capecIds":["CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"plugin","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}