CVE-2025-62800

FastMCP vulnerable to reflected XSS in client's callback page

Description

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0 have a reflected cross-site scripting vulnerability in the OAuth client callback page (oauth_callback.py) where unescaped user-controlled values are inserted into the generated HTML, allowing arbitrary JavaScript execution in the callback server origin. The issue is fixed in version 2.13.0.

INFO

Published Date :

2025-10-28T21:34:40.392Z

Last Modified :

2025-10-28T21:34:40.392Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-62800 vulnerability.

Vendors	Products
Fastmcp	Fastmcp

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62800.

URL	Resource
https://github.com/jlowin/fastmcp/security/advisories/GHSA-mxxr-jv3v-6pgc

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability