CVE-2025-66454

CVE-2025-66454 is a medium-severity security vulnerability in arcade-mcp-server (pip), affecting versions < 1.9.1. It is fixed in 1.9.1.

Summary

The arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints, including tool enumeration and tool invocation, without credentials.

Anyone following the official quick-start guide is vulnerable unless they manually override ARCADE_WORKER_SECRET.

Details

The documented method for launching an HTTP MCP server (python server.py http) implicitly sets the worker secret to the hardcoded default "dev":

ArcadeSettings.server_secret defaults to "dev"
(libs/arcade-mcp-server/arcade_mcp_server/settings.py:129–158)

create_arcade_mcp() passes this value directly to FastAPIWorker without validation
(libs/arcade-mcp-server/arcade_mcp_server/worker.py:118–188)

BaseWorker._set_secret() accepts this value and does not enforce rotation
(libs/arcade-serve/arcade_serve/core/base.py:42–83)

Because the worker’s signing key is constant and publicly documented, attackers can trivially generate valid HS256 JWTs:

The FastAPI worker auth middleware (arcade_serve/fastapi/auth.py) trusts any JWT signed with the worker secret.

The core auth layer (arcade_serve/core/auth.py) does not distinguish forged tokens from legitimate ones.

The official quick-start instructions (README.md:164–190) demonstrate launching an MCP server without mentioning worker-secret rotation. Users are told how to define tool secrets in .env, but not that the worker’s authentication key must be changed.

As a result, servers deployed following the documented workflow expose all /worker/* endpoints to anyone capable of generating a simple HS256 token using the known key.

This CVE was resolved by https://github.com/ArcadeAI/arcade-mcp/pull/691

PoC

Start the server using the official guide
https://docs.arcade.dev/en/home/build-tools/create-a-mcp-server

Verify that unauthenticated access is rejected (expected)

curl -s -D - http://127.0.0.1:8000/worker/tools
# → 403 Forbidden

Forge a valid HS256 token using the hardcoded default secret "dev"

import jwt
print(jwt.encode({'ver': '1', 'aud': 'worker'}, 'dev', algorithm='HS256'))

Use the forged token to bypass authentication

curl -s -D - \
  -H "Authorization: Bearer $(cat /tmp/forged_token.txt)" \
  http://127.0.0.1:8000/worker/tools

Result:
The server responds 200 OK with the full tool catalog and allows invocation of all worker tools.

Server logs show a rejected request immediately followed by a successful forged request, confirming the bypass.

Invoke arbitrary tools remotely

Access any data returned by tools (including secrets loaded into ToolContext)

Execute actions inside internal systems if tools expose operational capabilities

Perform these actions without any brute forcing or guesswork due to the known default signing key

Any user who follows the official setup guide is exposed unless they manually override ARCADE_WORKER_SECRET, which is not documented.

This vulnerability effectively gives complete remote control over the MCP worker API to any attacker aware of the default key.

Impact

This is an authentication bypass that results in full remote access to all MCP worker endpoints:

Unauthenticated attackers can enumerate tools

CVE-2025-66454 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.9.1); upgrading removes the vulnerable code path.

Affected versions

arcade-mcp-server (< 1.9.1)

Security releases

arcade-mcp-server → 1.9.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade arcade-mcp-server to 1.9.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-66454? CVE-2025-66454 is a medium-severity security vulnerability in arcade-mcp-server (pip), affecting versions < 1.9.1. It is fixed in 1.9.1.
  2. How severe is CVE-2025-66454? CVE-2025-66454 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of arcade-mcp-server are affected by CVE-2025-66454? arcade-mcp-server (pip) versions < 1.9.1 is affected.
  4. Is there a fix for CVE-2025-66454? Yes. CVE-2025-66454 is fixed in 1.9.1. Upgrade to this version or later.
  5. Is CVE-2025-66454 exploitable, and should I be worried? Whether CVE-2025-66454 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-66454 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-66454? Upgrade arcade-mcp-server to 1.9.1 or later.

Other vulnerabilities in arcade-mcp-server

Stop the waste.
Protect your environment with Kodem.