CVE-2025-11287 — MCPHub has an Improper Authorization vulnerability via its handleSseConnection f

Description

A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

How to fix CVE-2025-11287

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-11287 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11287
PATCHgithub.com/samanhappy/mcphub
WEBgithub.com/August829/YU1/issues/8
WEBvuldb.com/?ctiid.327045
WEBvuldb.com/?id.327045