GHSA-mxxr-jv3v-6pgc

Source

https://github.com/advisories/GHSA-mxxr-jv3v-6pgc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-mxxr-jv3v-6pgc/GHSA-mxxr-jv3v-6pgc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mxxr-jv3v-6pgc

Aliases

CVE-2025-62800

Published

2025-10-29T15:38:29Z

Modified

2025-10-29T15:51:47.307767Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

FastMCP vulnerable to reflected XSS in client's callback page

Details

Summary

While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability.

Details

The affected code is located in https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/client/oauth_callback.py, which embeds all values passed to the create_callback_html function via the message parameter it into the callback page without escaping them. This can, for example, be abused by calling the callback server with an XSS payload inside the error GET parameter, the value of which will then be inserted into the callback page, causing the execution of attacker-controlled JavaScript code in the callback server's origin. Note that besides the error parameter, other parameters reaching this function are affected too.

PoC

Setup a simple fastmcp client such as this one (the callback server's port was fixated for simplicity):

url="http://127.0.0.1:8000/mcp"
oauth = OAuth(mcp_url=url,callback_port=1337)

async def main():
    async with Client(url, auth=oauth) as client:
        await client.ping()

        # List available operations
        tools = await client.list_tools()

        print(f"tools: {tools}")

asyncio.run(main())

Ensure that the MCP server located at http://127.0.0.1:8000/mcp supports oauth.
Start the client.
As soon as the callback server has been started, access http://localhost:1337/callback?error=<img/src/onerror=alert(window.origin)>

Note that the exploitation could also for example be initiated by a malicious authorization server by returning the exploitation URL mentioned before in the authorization_endpoint field. The client would then automatically open, causing the XSS to trigger immediatly.

Impact

The impact of this XSS vulnerability is the arbitrary JavaScript execution in the victim's browser in the callback server's origin.

Database specific

{
    "github_reviewed_at": "2025-10-29T15:38:29Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-10-28T22:15:36Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / fastmcp

Package

Name: fastmcp; View open source insights on deps.dev
Purl: pkg:pypi/fastmcp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4.0

0.4.1

1.*

1.0

2.*

2.0.0

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.3.0rc1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.9.2

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.11.0

2.11.1

2.11.2

2.11.3

2.12.0rc1

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.13.0rc1

2.13.0rc2

2.13.0rc3