{"id":11063849,"name":"@modelcontextprotocol/inspector","ecosystem":"npm","description":"Model Context Protocol inspector","homepage":"https://modelcontextprotocol.io","licenses":"SEE LICENSE IN LICENSE","normalized_licenses":["ICU"],"repository_url":"https://github.com/modelcontextprotocol/inspector","keywords_array":[],"namespace":"modelcontextprotocol","versions_count":54,"first_release_published_at":"2024-11-19T19:27:34.724Z","latest_release_published_at":"2026-04-14T21:01:18.421Z","latest_release_number":"0.21.2","last_synced_at":"2026-04-22T16:18:42.376Z","created_at":"2024-11-19T19:30:12.904Z","updated_at":"2026-04-22T17:12:23.782Z","registry_url":"https://www.npmjs.com/package/@modelcontextprotocol/inspector","install_command":"npm install @modelcontextprotocol/inspector","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"0.21.2"}},"repo_metadata":{},"repo_metadata_updated_at":"2026-04-15T11:26:28.404Z","dependent_packages_count":0,"downloads":635249,"downloads_period":"last-month","dependent_repos_count":0,"rankings":{"downloads":63.64672133627355,"dependent_repos_count":25.523535653743885,"dependent_packages_count":36.961422187861736,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":42.043893059293055},"purl":"pkg:npm/%40modelcontextprotocol/inspector","advisories":[{"uuid":"GSA_kwCzR0hTQS1nOWhnLXFobWYtcTQ1bc4ABL0c","url":"https://github.com/advisories/GHSA-g9hg-qhmf-q45m","title":"MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server","description":"An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector connects to an untrusted server, a crafted redirect can inject script into the Inspector context and, via the built-in proxy, be leveraged to trigger arbitrary command execution on the developer machine. Version 0.16.6 hardens URL handling/validation and prevents script execution.\n\n\u003e Thank you to the following researchers for their reports and contributions:\n\u003e * Raymond (Veria Labs)\n\u003e * Gavin Zhong, \u003csuperboyzjc@gmail.com\u003e \u0026 Shuyang Wang, \u003cswang@obsidiansecurity.com\u003e.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-09-08T21:14:23.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.6,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-g9hg-qhmf-q45m","https://github.com/modelcontextprotocol/inspector/commit/650f3090d26344a672026b737d81586595bb1f60","https://nvd.nist.gov/vuln/detail/CVE-2025-58444","https://www.npmjs.com/package/@modelcontextprotocol/inspector/v/0.16.6","https://github.com/advisories/GHSA-g9hg-qhmf-q45m"],"source_kind":"github","identifiers":["GHSA-g9hg-qhmf-q45m","CVE-2025-58444"],"repository_url":"https://github.com/modelcontextprotocol/inspector","blast_radius":1.0,"created_at":"2025-09-08T22:09:27.706Z","updated_at":"2026-04-22T17:02:24.113Z","epss_percentage":0.00034,"epss_percentile":0.09772,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOWhnLXFobWYtcTQ1bc4ABL0c","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1nOWhnLXFobWYtcTQ1bc4ABL0c","packages":[{"ecosystem":"npm","package_name":"@modelcontextprotocol/inspector","versions":[{"first_patched_version":"0.16.6","vulnerable_version_range":"\u003c 0.16.6"}],"purl":"pkg:npm/%40modelcontextprotocol%2Finspector"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOWhnLXFobWYtcTQ1bc4ABL0c/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS03ZjhyLTIyMnAtNmY1Z84ABJCZ","url":"https://github.com/advisories/GHSA-7f8r-222p-6f5g","title":"MCP Inspector proxy server lacks authentication between the Inspector client and proxy","description":"Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.\n\nCredit: Rémy Marot \u003cbughunters@tenable.com\u003e","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2025-06-13T22:15:26.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.4,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","references":["https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g","https://nvd.nist.gov/vuln/detail/CVE-2025-49596","https://github.com/modelcontextprotocol/inspector/commit/50df0e1ec488f3983740b4d28d2a968f12eb8979","https://thenewstack.io/mcp-vulnerability-exposes-the-ai-untrusted-code-crisis","https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596","https://github.com/advisories/GHSA-7f8r-222p-6f5g"],"source_kind":"github","identifiers":["GHSA-7f8r-222p-6f5g","CVE-2025-49596"],"repository_url":"https://github.com/modelcontextprotocol/inspector","blast_radius":1.0,"created_at":"2025-06-13T23:08:01.300Z","updated_at":"2026-04-22T17:02:48.063Z","epss_percentage":0.03337,"epss_percentile":0.87309,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZjhyLTIyMnAtNmY1Z84ABJCZ","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS03ZjhyLTIyMnAtNmY1Z84ABJCZ","packages":[{"ecosystem":"npm","package_name":"@modelcontextprotocol/inspector","versions":[{"first_patched_version":"0.14.1","vulnerable_version_range":"\u003c 0.14.1"}],"purl":"pkg:npm/%40modelcontextprotocol%2Finspector"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZjhyLTIyMnAtNmY1Z84ABJCZ/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@modelcontextprotocol/inspector","docker_dependents_count":1,"docker_downloads_count":140323,"usage_url":"https://repos.ecosyste.ms/usage/npm/@modelcontextprotocol/inspector","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@modelcontextprotocol/inspector/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@modelcontextprotocol%2Finspector/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@modelcontextprotocol%2Finspector/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@modelcontextprotocol%2Finspector/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@modelcontextprotocol%2Finspector/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@modelcontextprotocol%2Finspector/codemeta","maintainers":[{"uuid":"ochafik","login":"ochafik","name":null,"email":"olivier.chafik@gmail.com","url":null,"packages_count":39,"html_url":"https://www.npmjs.com/~ochafik","role":null,"created_at":"2026-02-13T01:11:21.216Z","updated_at":"2026-02-13T01:11:21.216Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/ochafik/packages"},{"uuid":"pcarleton","login":"pcarleton","name":null,"email":"paulcarletonjr@gmail.com","url":null,"packages_count":39,"html_url":"https://www.npmjs.com/~pcarleton","role":null,"created_at":"2025-11-16T01:12:44.104Z","updated_at":"2025-11-16T01:12:44.104Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/pcarleton/packages"},{"uuid":"jspahrsummers","login":"jspahrsummers","name":null,"email":"justin@jspahrsummers.com","url":null,"packages_count":57,"html_url":"https://www.npmjs.com/~jspahrsummers","role":null,"created_at":"2024-11-19T19:30:15.559Z","updated_at":"2024-11-19T19:30:15.559Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/jspahrsummers/packages"},{"uuid":"thedsp","login":"thedsp","name":null,"email":"experimentalworks@gmail.com","url":null,"packages_count":50,"html_url":"https://www.npmjs.com/~thedsp","role":null,"created_at":"2024-11-19T19:30:15.356Z","updated_at":"2024-11-19T19:30:15.356Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/thedsp/packages"},{"uuid":"ashwin-ant","login":"ashwin-ant","name":null,"email":"ashwin@anthropic.com","url":null,"packages_count":50,"html_url":"https://www.npmjs.com/~ashwin-ant","role":null,"created_at":"2024-11-19T19:30:14.896Z","updated_at":"2024-11-19T19:30:14.896Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/ashwin-ant/packages"},{"uuid":"fweinberger","login":"fweinberger","name":null,"email":"fweinberger@anthropic.com","url":null,"packages_count":37,"html_url":"https://www.npmjs.com/~fweinberger","role":null,"created_at":"2026-02-13T01:11:20.072Z","updated_at":"2026-02-13T01:11:20.072Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/fweinberger/packages"}]}