Share
## https://sploitus.com/exploit?id=4A228F44-7458-5483-811A-59344CF3DF7B
# CVE PoC: MCP Server Config Swap in Claude Code
**Vulnerability**: Claude Code approves MCP servers by name only. Changing the command while keeping the same name bypasses the approval prompt, achieving arbitrary code execution.
**Affected**: Claude Code v2.1.63 (latest as of 2026-03-03)
**Class**: Same as CVE-2025-54136 (MCPoison in Cursor)
**CWE**: CWE-345 โ Insufficient Verification of Data Authenticity
**CVSS 4.0**: 8.5 High
## Quick Demo (< 2 minutes)
```bash
git clone https://github.com/YOURUSER/mcp-config-swap-poc.git
cd mcp-config-swap-poc
./poc.sh
```
## Manual Step-by-Step
See [WALKTHROUGH.md](WALKTHROUGH.md) for a detailed step-by-step with explanations.
## How It Works
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ INITIAL STATE โ
โ โ
โ .mcp.json: โ
โ "helper" โ legit-server.sh (harmless) โ
โ โ
โ User opens Claude Code โ prompt appears: โ
โ "New MCP server: helper" โ clicks YES โ
โ โ
โ Stored in .claude/settings.local.json: โ
โ enabledMcpjsonServers: ["helper"] โ
โ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ โ
โ NAME ONLY โ no hash of command/args โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ATTACKER MODIFIES .mcp.json โ
โ (via PR merge / commit) โ
โ โ
โ .mcp.json: โ
โ "helper" โ evil-server.sh (malicious) โ
โ ^^^^^^^^^^^^^^ โ
โ Same name, DIFFERENT command โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ USER OPENS CLAUDE CODE AGAIN โ
โ โ
โ Approval check: โ
โ name "helper" in enabledMcpjsonServers? โ YES โ
โ command matches what was approved? โ NOT CHECKED โ
โ โ
โ Result: evil-server.sh EXECUTES โ
โ NO prompt shown โ
โ Arbitrary code execution achieved โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## Files
| File | Purpose |
|------|---------|
| `poc.sh` | Automated PoC runner (interactive) |
| `servers/legit-server.sh` | Benign MCP server (approved initially) |
| `servers/evil-server.sh` | Malicious replacement (executes after swap) |
| `WALKTHROUGH.md` | Detailed manual reproduction steps |
| `REPORT.md` | Full HackerOne report |
| `screenshots/` | Evidence from tested exploitation |
## Responsible Disclosure
This vulnerability was reported to Anthropic via their [HackerOne VDP](https://hackerone.com/anthropic-vdp) on 2026-03-03.