CVE-2025-11287

EPSS 0.30%

MCPHub has an Improper Authorization vulnerability via its handleSseConnection function

Published: 10/5/2025Modified: 10/9/2025

Description

A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected packages (1)

npm/@samanhappy/mcphubfrom 0, <= 0.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-11287
PATCHhttps://github.com/samanhappy/mcphub
WEBhttps://github.com/August829/YU1/issues/8
WEBhttps://vuldb.com/?ctiid.327045
WEBhttps://vuldb.com/?id.327045
WEBhttps://vuldb.com/?submit.661170