CVE-2025-69196

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69196

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69196.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69196

Aliases

GHSA-5h2m-4q8j-pqpj

Downstream

ROOT-APP-PYPI-CVE-2025-69196

Published

2026-03-16T18:07:06.332Z

Modified

2026-04-10T05:36:40.570626Z

Severity

7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

FastMCP OAuth Proxy token reuse across MCP servers

Details

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69196.json",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/jlowin/fastmcp

Affected ranges

Type

GIT

Repo

https://github.com/jlowin/fastmcp

Events

Introduced

Fixed

99832a9fafe742dcfa747bc6b829b386c25c243b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.14.2"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.4.0

v0.4.1

v1.*

v1.0

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.12.0

v2.12.0rc1

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.13.0

v2.13.0.1

v2.13.0rc1

v2.13.0rc2

v2.13.0rc3

v2.13.1

v2.13.2

v2.14.0

v2.14.1

v2.2.0

v2.2.1

v2.2.10

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.0-rc.1

v2.3.0-rc.2

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.4.0

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.6.1

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.9.0

v2.9.1

v2.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69196.json"

Git / github.com/prefecthq/fastmcp

Affected ranges

Type

GIT

Repo

https://github.com/prefecthq/fastmcp

Events

Introduced

Fixed

99832a9fafe742dcfa747bc6b829b386c25c243b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.14.2"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.4.0

v0.4.1

v1.*

v1.0

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.12.0

v2.12.0rc1

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.13.0

v2.13.0.1

v2.13.0rc1

v2.13.0rc2

v2.13.0rc3

v2.13.1

v2.13.2

v2.14.0

v2.14.1

v2.2.0

v2.2.1

v2.2.10

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.0-rc.1

v2.3.0-rc.2

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.4.0

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.6.1

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.9.0

v2.9.1

v2.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69196.json"