Home

CVE-2025-62800

Description

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.

Risk Information

Base Score
6.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.041

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-62800,CVE-2025-62801 are fixed in Python-fastmcp 2.13.0Windows
Vulnerabilities CVE-2025-62800,CVE-2025-62801 are fixed in Python-fastmcp for linux 2.13.0Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234