CVE-2025-11287
Published: 05 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11287 is an improper authentication vulnerability (CWE-287) in samanhappy MCPHub versions up to 0.9.10. It affects the handleSseConnection function in the file src/services/sseService.ts. The issue has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-10-05.
The vulnerability enables remote exploitation by unauthenticated attackers requiring only network access, low attack complexity, and no user interaction. Successful attacks can result in limited impacts to confidentiality, integrity, and availability.
Advisories from VulDB and GitHub references indicate that a public exploit is available and might be used. The vendor was contacted early about the disclosure but did not respond, with no patches or mitigations detailed.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Not Applicable
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- The CVE description details an improper authentication vulnerability (CWE-287) in a TypeScript SSE service handler (sseService.ts) of MCPHub, a general software product. No keywords, references, or context indicate involvement of AI/ML technologies, deep learning, NLP, computer vision, models, agents, or related components. SSE is a common web technology not specific to AI.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The improper authentication vulnerability (CWE-287) in the SSE service allows remote, unauthenticated attackers to forge any user's identity and gain unauthorized access to operate MCPHub, enabling exploitation of a public-facing application.