CVE-2025-58444: 
JavaScript vulnerability analysis and mitigation

The MCP inspector, a developer tool for testing and debugging MCP servers, contains a cross-site scripting (XSS) vulnerability identified as CVE-2025-58444. The vulnerability was discovered in versions prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. The issue was disclosed on September 8, 2025, and affects the MCP Inspector local development tool (GitHub Advisory).

The vulnerability is classified as CWE-84 (Improper Neutralization of Encoded URI Schemes in a Web Page) and has received a CVSS v4.0 base score of 8.6 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no special privileges (PR:N) but does need user interaction (UI:A). The vulnerability can result in high impacts to confidentiality, integrity, and availability of the vulnerable system (VC:H/VI:H/VA:H) (GitHub Advisory).

When successfully exploited, this vulnerability could allow attackers to interact directly with the inspector proxy and trigger arbitrary command execution. The high CVSS score indicates significant potential impact on the system's confidentiality, integrity, and availability (GitHub Advisory).

Users are advised to update to MCP Inspector version 0.16.6 which contains the fix for this vulnerability. The patch implements proper URL validation for OAuth redirect URLs and adds comprehensive validation checks to prevent malicious protocol URLs from being processed (GitHub Commit).