VDB
KO
MEDIUM 6.7

PYSEC-2026-2475

FastMCP has a Command Injection vulnerability - Gemini CLI

Details

Server names containing shell metacharacters (e.g., `&`) can cause command injection on Windows when passed to `fastmcp install claude-code` or `fastmcp install gemini-cli`. These install paths use `subprocess.run()` with a list argument, but on Windows the target CLIs often resolve to `.cmd` wrappers that are executed through `cmd.exe`, which interprets metacharacters in the flattened command string.

PoC: ```python from fastmcp import FastMCP

mcp = FastMCP(name="test&calc")

@mcp.tool def roll_dice(n_dice: int) -> list[int]: """Roll `n_dice` 6-sided dice and return the results.""" return [random.randint(1, 6) for _ in range(n_dice)] ```

``` fastmcp install claude-code server.py # or: fastmcp install gemini-cli server.py ```

On Windows, this opens Calculator via the `&calc` in the server name.

Impact: Arbitrary command execution with the privileges of the user running `fastmcp install`. Affects Windows hosts where the target CLI (one of claude, gemini) is installed as a `.cmd` wrapper. Does not affect macOS/Linux, and does not affect config-file-based install targets (cursor, goose, mcp-json).

Patched in #3522 by validating server names to reject shell metacharacters.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / fastmcp
Introduced in: 0 Fixed in: 3.2.0
Fix pip install --upgrade 'fastmcp>=3.2.0'

References