@anngdinh/remote-mcp-server-authless (=0.0.0), @aredes.me/mcp-camara (=1.0.6) +128 more potentially affected by unknown CVE via agents (>=0.0.100 <=0.2.35)

agents NPM version =0.0.100, =0.4.0, =1.1.1, =0.2.0, =0.1.0, =0.0.1, =1.0.2, =1.0.1, =0.2.0, =0.5.3 and more Source cves: unknown CVE Source advisory: SNYK:JS-AGENTS-15282793...

CVE-2025-4144

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27...

CVE-2025-4144

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27...