Reflected Cross Site Scripting (XSS)

FastMCP is vulnerable to a reflected cross-site scripting XSS. The vulnerability is due to unescaped user-controlled input being reflected in the OAuth client callback HTML page oauthcallback.py, which allows an attacker to inject and execute arbitrary JavaScript in the context of the callback...

CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.23.0, tThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost...

CVE-2025-62801

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the servername field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fix...

FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

Summary A command-injection vulnerability lets any attacker who can influence the servername field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor Details 1. generatecursordeeplinkservername, … embeds servername verbatim in a cursor://…?name= query string...

aenvironment (=0.1.7rc1), agentfetch-mcp (>=1.0.0 <=1.0.1) +211 more potentially affected by CVE-2025-62801 via fastmcp (>=0.1.0 <=2.12.5)

fastmcp PYPI version =0.1.0, =1.0.0, =0.4.6, =1.8.0, =3.2.0, =3.2.0, =4.2.2, =3.0.2, =0.2.7, =1.0.0rc1, =0.2.7, =1.7.3, =0.1.12, =0.9.30, =0.9.77 and more Source cves: CVE-2025-62801 Source advisory: OSV:GHSA-RJ5C-58RQ-J5G5...

EUVD-2025-36567

FastMCP vulnerable to windows command injection in FastMCP Cursor installer via servername...

GHSA-RJ5C-58RQ-J5G5 FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

Summary A command-injection vulnerability lets any attacker who can influence the servername field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor Details 1. generatecursordeeplinkservername, … embeds servername verbatim in a cursor://…?name= query string...

GHSA-MXXR-JV3V-6PGC FastMCP vulnerable to reflected XSS in client's callback page

Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability. Details The affected code is located in...

aenvironment (=0.1.7rc1), agentfetch-mcp (>=1.0.0 <=1.0.1) +211 more potentially affected by CVE-2025-62800 via fastmcp (>=0.1.0 <=2.12.5)

fastmcp PYPI version =0.1.0, =1.0.0, =0.4.6, =1.8.0, =3.2.0, =3.2.0, =4.2.2, =3.0.2, =0.2.7, =1.0.0rc1, =0.2.7, =1.7.3, =0.1.12, =0.9.30, =0.9.77 and more Source cves: CVE-2025-62800 Source advisory: OSV:GHSA-MXXR-JV3V-6PGC...

EUVD-2025-36568

FastMCP vulnerable to reflected XSS in client's callback page...

FastMCP vulnerable to reflected XSS in client's callback page

Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability. Details The affected code is located in...

aenvironment (=0.1.7rc1), agentic-ai-engineering-course (>=0.4.6 <=0.4.7) +164 more potentially affected by unknown CVE via fastmcp (>=2.0.0 <=2.12.5)

fastmcp PYPI version =2.0.0, =0.4.6, =1.8.0, =3.2.0, =3.2.0, =4.2.2, =3.0.2, =0.2.7, =1.0.0rc1, =0.2.7, =1.7.3, =0.1.12, =0.9.30, =0.14.3, =0.18.5 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-FASTMCP-13776148...

aenvironment (=0.1.7rc1), agentfetch-mcp (>=1.0.0 <=1.0.1) +211 more potentially affected by unknown CVE via fastmcp (>=0.1.0 <=2.12.5)

fastmcp PYPI version =0.1.0, =1.0.0, =0.4.6, =1.8.0, =3.2.0, =3.2.0, =4.2.2, =3.0.2, =0.2.7, =1.0.0rc1, =0.2.7, =1.7.3, =0.1.12, =0.9.30, =0.9.77 and more Source cves: unknown CVE Source advisory: OSV:GHSA-C2JP-C369-7PVX...

EUVD-2025-36666

FastMCP Auth Integration Allows for Confused Deputy Account Takeover...

GHSA-C2JP-C369-7PVX FastMCP Auth Integration Allows for Confused Deputy Account Takeover

Summary FastMCP documentation covers the scenario where it is possible to use Entra ID or other providers for authentication. In this context, because Entra ID does not support Dynamic Client Registration DCR, the FastMCP-hosted MCP server is acting as the authorization provider, as declared in t...

Unintended Proxy or Intermediary ('Confused Deputy')

Overview fastmcp is a The fast, Pythonic way to build MCP servers and clients. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' during the authentication with OAuth providers that don't support Dynamic Client Registration DCR. An attacker can...

FastMCP Auth Integration Allows for Confused Deputy Account Takeover

Summary FastMCP documentation covers the scenario where it is possible to use Entra ID or other providers for authentication. In this context, because Entra ID does not support Dynamic Client Registration DCR, the FastMCP-hosted MCP server is acting as the authorization provider, as declared in t...

Command Injection

Overview fastmcp is a The fast, Pythonic way to build MCP servers and clients. Affected versions of this package are vulnerable to Command Injection via the servername field. An attacker can execute arbitrary OS commands by supplying crafted input to this field during the installation process on...

aenvironment (=0.1.7rc1), agentic-ai-engineering-course (>=0.4.6 <=0.4.7) +178 more potentially affected by CVE-2025-62801 via fastmcp (>=2.0.0 <=2.13.0)

fastmcp PYPI version =2.0.0, =0.4.6, =1.8.0, =3.2.0, =3.2.0, =4.2.2, =3.0.2, =0.2.7, =1.0.0rc1, =0.2.7, =1.7.3, =0.1.12, =0.9.30, =0.14.3, =0.18.5 and more Source cves: CVE-2025-62801 Source advisory: SNYK:PYTHON-FASTMCP-13745516...

CVE-2025-62801

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the servername field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fix...