FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. This issue has been patched in version 3.2.0.
oryginał ENCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XJlowin Fastmcp
APPJlowin< 3.2.0
Powiązane podatności
FastMCP: path traversal i SSRF przez niekodowane parametry ścieżki URL
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not ...
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containi...
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cro...
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection...