## FastMCP v3.2.0 Security Update Patches Critical Windows Command Injection Vulnerability (CVE-2025-64340)
A critical security vulnerability in the FastMCP framework, tracked as CVE-2025-64340, has been patched in version 3.2.0. The flaw, which allowed for command injection on Windows systems, was triggered when server names containing shell metacharacters (like `&`) were passed to specific installation commands. This created a direct path for attackers to execute arbitrary commands on affected systems.

The vulnerability was present in the `fastmcp install claude-code` and `fastmcp install gemini-cli` commands. The update from version 3.0.0 to 3.2.0 addresses this security hole. The patch was released by the maintainers at PrefectHQ, and the advisory is publicly available on GitHub. The automated dependency management tool Renovate has flagged this as a security update, indicating its priority.

This vulnerability underscores the persistent risks in dependency management and command-line tool security, particularly for Windows environments. Developers and organizations using FastMCP for AI agent tooling must immediately update to v3.2.0 to mitigate the risk of remote code execution. The incident highlights the critical need for automated security scanning in CI/CD pipelines to catch such vulnerabilities before they can be exploited in production environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, dependency-management, ai-tooling, windows
- **Credibility**: unverified
- **Published**: 2026-04-01 19:27:35
- **ID**: 45940
- **URL**: https://whisperx.ai/en/intel/45940