216.73.217.86

CVE-2025-62800

· Published 28/10/2025 22:15 · Modified 28/10/2025 22:15

Labels: CVE-2025-62800 2025-10-28CVE-2025-62800CWE-79[email protected]

Essential information

Published
28/10/2025 22:15
Modified
28/10/2025 22:15
Author
Creator
CVSS
5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
fastmcp / fastmcp cpe:2.3:a:fastmcp:fastmcp:<2.13.0:*:*:*:*:*:*:*
fastmcp / fastmcp cpe:2.3:a:fastmcp:fastmcp:2.13.0:*:*:*:*:*:*:*

References