GHSA-rcfx-77hg-w2wv: FastMCP updated to MCP 1.23+ due to CVE-2025-66416

GHSA-9fjq-45qv-pcm7: ruint affected by unsoundness of safe `reciprocal_mg10`

GHSA-g5p6-3j82-xfm4: Croogo CMS has a path traversal vulnerability

GHSA-6vj3-p34w-xxjp: apidoc-core has a prototype pollution vulnerability

GHSA-j4p8-h8mh-rh8q: Self-hosted n8n has Legacy Code node that enables arbitrary file read/write

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. 

FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.

**FastMCP updated to MCP 1.23+ due to CVE-2025-66416**

High severity GitHub Reviewed Published Dec 26, 2025 in jlowin/fastmcp • Updated Dec 26, 2025

Headline

GHSA-rcfx-77hg-w2wv: FastMCP updated to MCP 1.23+ due to CVE-2025-66416

ghsa: Latest News