Untrusted JSON Manual Fetching Vulnerability in Universal Tool Calling Protocol
CVE-2025-14542

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
13 December 2025

What is CVE-2025-14542?

This vulnerability allows a malicious provider to alter a JSON specification, known as a Manual, fetched by a client from a remote endpoint. Initially, a trusted provider may serve benign instructions; however, after establishing trust, they can modify the manual to maliciously manipulate client behavior. This poses a significant security risk as it enables unauthorized commands to be executed, potentially leading to exploitation of the client system.

References

https://research.jfrog.com/vulnerabilities/python-utcp-un...
third-party-advisory
https://github.com/universal-tool-calling-protocol/python...
patch

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-14542 : Untrusted JSON Manual Fetching Vulnerability in Universal Tool Calling Protocol