Description

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.

INFO

Published Date :

2025-05-01T00:50:27.543Z

Last Modified :

2025-05-01T15:33:23.092Z

Source :

cloudflare
AFFECTED PRODUCTS

The following products are affected by CVE-2025-4144 vulnerability.

Vendors Products
Cloudflare
  • Workers-oauth-provider
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-4144.

URL Resource
https://github.com/cloudflare/workers-oauth-provider/pull/27 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact