CVE-2025-4144

216.73.216.6

· Published 01/05/2025 01:15 · Modified 01/05/2025 01:15

Labels: CVE-2025-4144 2025-05-01 CVE-2025-4144 CWE-287 [email protected]

Essential information

Published: 01/05/2025 01:15
Modified: 01/05/2025 01:15
Author: —
Creator: —
CVSS: 5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
cloudflare / workers oauth provider	`cpe:2.3:a:cloudflare:workers_oauth_provider::::::::`