Share
## https://sploitus.com/exploit?id=4A228F44-7458-5483-811A-59344CF3DF7B
# CVE PoC: MCP Server Config Swap in Claude Code

**Vulnerability**: Claude Code approves MCP servers by name only. Changing the command while keeping the same name bypasses the approval prompt, achieving arbitrary code execution.

**Affected**: Claude Code v2.1.63 (latest as of 2026-03-03)
**Class**: Same as CVE-2025-54136 (MCPoison in Cursor)
**CWE**: CWE-345 โ€” Insufficient Verification of Data Authenticity
**CVSS 4.0**: 8.5 High

## Quick Demo (< 2 minutes)

```bash
git clone https://github.com/YOURUSER/mcp-config-swap-poc.git
cd mcp-config-swap-poc
./poc.sh
```

## Manual Step-by-Step

See [WALKTHROUGH.md](WALKTHROUGH.md) for a detailed step-by-step with explanations.

## How It Works

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                    INITIAL STATE                         โ”‚
โ”‚                                                         โ”‚
โ”‚  .mcp.json:                                             โ”‚
โ”‚    "helper" โ†’ legit-server.sh (harmless)                โ”‚
โ”‚                                                         โ”‚
โ”‚  User opens Claude Code โ†’ prompt appears:               โ”‚
โ”‚    "New MCP server: helper" โ†’ clicks YES                โ”‚
โ”‚                                                         โ”‚
โ”‚  Stored in .claude/settings.local.json:                 โ”‚
โ”‚    enabledMcpjsonServers: ["helper"]                    โ”‚
โ”‚    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                     โ”‚
โ”‚    NAME ONLY โ€” no hash of command/args                  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                          โ”‚
                          โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚               ATTACKER MODIFIES .mcp.json               โ”‚
โ”‚                  (via PR merge / commit)                 โ”‚
โ”‚                                                         โ”‚
โ”‚  .mcp.json:                                             โ”‚
โ”‚    "helper" โ†’ evil-server.sh (malicious)                โ”‚
โ”‚               ^^^^^^^^^^^^^^                            โ”‚
โ”‚    Same name, DIFFERENT command                         โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                          โ”‚
                          โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚              USER OPENS CLAUDE CODE AGAIN                โ”‚
โ”‚                                                         โ”‚
โ”‚  Approval check:                                        โ”‚
โ”‚    name "helper" in enabledMcpjsonServers? โ†’ YES        โ”‚
โ”‚    command matches what was approved?      โ†’ NOT CHECKED โ”‚
โ”‚                                                         โ”‚
โ”‚  Result: evil-server.sh EXECUTES                        โ”‚
โ”‚          NO prompt shown                                โ”‚
โ”‚          Arbitrary code execution achieved               โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Files

| File | Purpose |
|------|---------|
| `poc.sh` | Automated PoC runner (interactive) |
| `servers/legit-server.sh` | Benign MCP server (approved initially) |
| `servers/evil-server.sh` | Malicious replacement (executes after swap) |
| `WALKTHROUGH.md` | Detailed manual reproduction steps |
| `REPORT.md` | Full HackerOne report |
| `screenshots/` | Evidence from tested exploitation |

## Responsible Disclosure

This vulnerability was reported to Anthropic via their [HackerOne VDP](https://hackerone.com/anthropic-vdp) on 2026-03-03.