PyPI: fastmcp
GHSA-rcfx-77hg-w2wv
Safety vulnerability ID: SFTY-20251226-65730
There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.
Overview
FastMCP updated to MCP 1.23+ due to CVE-2025-66416
Advisory
FastMCP updated to MCP 1.23+ due to CVE-2025-66416
How to Fix
Upgrade
fastmcp
to2.14.0
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20251226-65730
- https://github.com/jlowin/fastmcp/security/advisories/GHSA-rcfx-77hg-w2wv
- https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f
- https://nvd.nist.gov/vuln/detail/CVE-2025-66416
- https://github.com/advisories/GHSA-rcfx-77hg-w2wv
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more