GHSA-MXXR-JV3V-6PGC
Vulnerability from github – Published: 2025-10-29 15:38 – Updated: 2025-10-29 15:39Summary
While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability.
Details
The affected code is located in https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/client/oauth_callback.py, which embeds all values passed to the create_callback_html function via the message parameter it into the callback page without escaping them. This can, for example, be abused by calling the callback server with an XSS payload inside the error GET parameter, the value of which will then be inserted into the callback page, causing the execution of attacker-controlled JavaScript code in the callback server's origin. Note that besides the error parameter, other parameters reaching this function are affected too.
PoC
- Setup a simple fastmcp client such as this one (the callback server's port was fixated for simplicity):
url="http://127.0.0.1:8000/mcp"
oauth = OAuth(mcp_url=url,callback_port=1337)
async def main():
async with Client(url, auth=oauth) as client:
await client.ping()
# List available operations
tools = await client.list_tools()
print(f"tools: {tools}")
asyncio.run(main())
- Ensure that the MCP server located at
http://127.0.0.1:8000/mcpsupports oauth. - Start the client.
- As soon as the callback server has been started, access
http://localhost:1337/callback?error=<img/src/onerror=alert(window.origin)>
Note that the exploitation could also for example be initiated by a malicious authorization server by returning the exploitation URL mentioned before in the authorization_endpoint field. The client would then automatically open, causing the XSS to trigger immediatly.
Impact
The impact of this XSS vulnerability is the arbitrary JavaScript execution in the victim's browser in the callback server's origin.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fastmcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62800"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-29T15:38:29Z",
"nvd_published_at": "2025-10-28T22:15:36Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhile setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability.\n\n### Details\nThe affected code is located in *https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/client/oauth_callback.py*, which embeds all values passed to the `create_callback_html` function via the `message` parameter it into the callback page without escaping them. This can, for example, be abused by calling the callback server with an XSS payload inside the `error` GET parameter, the value of which will then be inserted into the callback page, causing the execution of attacker-controlled JavaScript code in the callback server\u0027s origin. Note that besides the `error` parameter, other parameters reaching this function are affected too.\n\n### PoC\n1. Setup a simple fastmcp client such as this one (the callback server\u0027s port was fixated for simplicity):\n\n```\nurl=\"http://127.0.0.1:8000/mcp\"\noauth = OAuth(mcp_url=url,callback_port=1337)\n\nasync def main():\n async with Client(url, auth=oauth) as client:\n await client.ping()\n \n # List available operations\n tools = await client.list_tools()\n\n print(f\"tools: {tools}\")\n \nasyncio.run(main())\n```\n\n2. Ensure that the MCP server located at `http://127.0.0.1:8000/mcp` supports oauth.\n3. Start the client.\n4. As soon as the callback server has been started, access `http://localhost:1337/callback?error=\u003cimg/src/onerror=alert(window.origin)\u003e`\n\nNote that the exploitation could also for example be initiated by a malicious authorization server by returning the exploitation URL mentioned before in the `authorization_endpoint` field. The client would then automatically open, causing the XSS to trigger immediatly.\n\n### Impact\nThe impact of this XSS vulnerability is the arbitrary JavaScript execution in the victim\u0027s browser in the callback server\u0027s origin.",
"id": "GHSA-mxxr-jv3v-6pgc",
"modified": "2025-10-29T15:39:21Z",
"published": "2025-10-29T15:38:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jlowin/fastmcp/security/advisories/GHSA-mxxr-jv3v-6pgc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62800"
},
{
"type": "WEB",
"url": "https://github.com/jlowin/fastmcp/pull/2090"
},
{
"type": "WEB",
"url": "https://github.com/jlowin/fastmcp/commit/2a20f54617a37213ed83894a8c2f0ac38a2e83a3"
},
{
"type": "PACKAGE",
"url": "https://github.com/jlowin/fastmcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "FastMCP vulnerable to reflected XSS in client\u0027s callback page"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.