CVE-2025-66454

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...

Use of Hard-coded Cryptographic Key

Overview arcade-mcp is an Arcade.dev - Tool Calling platform for Agents Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key via the HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. An...

agent-library (>=0.7.0 <=0.13.1), arcade-ai (=2.3.0) +67 more potentially affected by CVE-2025-66454 via arcade-mcp-server (>=1.0.0rc3 <=1.22.0)

arcade-mcp-server PYPI version =1.0.0rc3, =0.7.0, =1.2.0, =0.3.0, =0.1.0, =0.3.0, =0.2.0, =1.2.0, =2.3.0, =1.1.0, =3.1.0, =0.2.0, =3.1.0, =3.1.0, =4.0.0, =4.2.0 and more Source cves: CVE-2025-66454 Source advisory: SNYK:PYTHON-ARCADEMCPSERVER-14171924...

Use of Hard-coded Cryptographic Key

Overview arcade-mcp-server is a Model Context Protocol MCP server framework for Arcade.dev Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key via the HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal...

CVE-2025-66454 Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...

CVE-2025-66454 Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...

CVE-2025-66454

The CVE-2025-66454 issue in arcade-mcp-server/arcade-mcp is a hardcoded default worker secret ("dev") used by the HTTP server. Prior to version 1.5.4, this secret is never validated/rotated during startup, enabling unauthenticated attackers who know the key to forge valid JWTs and bypass FastAPI ...

CVE-2025-66454 Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...

GHSA-G2JX-37X6-6438 arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...

agent-library (>=0.7.0 <=0.13.1), arcade-ai (=2.3.0) +67 more potentially affected by CVE-2025-66454 via arcade-mcp-server (>=1.0.0rc3 <=1.22.0)

arcade-mcp-server PYPI version =1.0.0rc3, =0.7.0, =1.2.0, =0.3.0, =0.1.0, =0.3.0, =0.2.0, =1.2.0, =2.3.0, =1.1.0, =3.1.0, =0.2.0, =3.1.0, =3.1.0, =4.0.0, =4.2.0 and more Source cves: CVE-2025-66454 Source advisory: OSV:GHSA-G2JX-37X6-6438...

EUVD-2025-200280

arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints...

CVE-2025-66454

creationtimestamp| type| source ---|---|--- 2025-12-02 00:58:19+00:00| published-proof-of-concept| https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37x6-6438...